Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Infraccion-Multa.msi

Overview

General Information

Sample name:Infraccion-Multa.msi
Analysis ID:1567497
MD5:ca95e99d14a8ddfdf12406dd3d884888
SHA1:a66e770830656fe38a6fddd566d4e35c02e07ca1
SHA256:c3f805710d62fd6f1f1258a4c6c64ca0a5f69b3c650f3714a02cc691b7ffba30
Tags:EternalRocksmsisigneduser-threatinte1
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6344 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Infraccion-Multa.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7028 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 6912 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6591223B205D707BA6F325A467EDBE08 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5428 cmdline: rundll32.exe "C:\Windows\Installer\MSI466F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6702921 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7204 cmdline: rundll32.exe "C:\Windows\Installer\MSI49FA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6703640 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7340 cmdline: rundll32.exe "C:\Windows\Installer\MSI61D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6709734 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 8044 cmdline: rundll32.exe "C:\Windows\Installer\MSI8CE5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6720781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
      • AteraAgent.exe (PID: 7340 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
        • sc.exe (PID: 7468 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AgentPackageMonitoring.exe (PID: 7432 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD MD5: 5E3252E0248B484E76FCDBF8B42A645D)
          • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AgentPackageAgentInformation.exe (PID: 6076 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000ODucuIAD MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
          • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5996 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cscript.exe (PID: 2684 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
        • AgentPackageUpgradeAgent.exe (PID: 4216 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000ODucuIAD MD5: E9794F785780945D2DDE78520B9BB59F)
          • conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • msiexec.exe (PID: 4472 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
        • AgentPackageTicketing.exe (PID: 3008 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000ODucuIAD MD5: DB1DB66EBD9B15B7DCD55374EA56EE5E)
          • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AgentPackageMonitoring.exe (PID: 2312 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ODucuIAD MD5: 5E3252E0248B484E76FCDBF8B42A645D)
          • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AgentPackageOsUpdates.exe (PID: 2724 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000ODucuIAD MD5: 680BAC4393DA4DAFE0100D9483D3B6E4)
          • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7420 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7456 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7504 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7528 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7596 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ibarra3168@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ODucuIAD" /AgentId="5ea19671-d970-4e60-89b1-722649f3b810" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 3872 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D91E01284641A82F51BC37F15E50E5A2 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 644 cmdline: rundll32.exe "C:\Windows\Installer\MSIF30D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6812500 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • svchost.exe (PID: 5660 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AteraAgent.exe (PID: 7808 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7948 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1860 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2380 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2860 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ODucuIAD MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7568 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ODucuIAD MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2816 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 5480 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 7960 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000ODucuIAD MD5: 5129E29D4D9A8ED94E04099622316B37)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 7856 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 7792 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 4128 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 1368 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txtJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF3C9EDA7385DB5313.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DF8A7712CC4AE893DF.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DF528258350F0B1D00.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 63 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000002C.00000002.2399031709.00000209805EA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000010.00000002.2295288201.00000244F9F10000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000001C.00000002.2505638725.0000022CDB50E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000001F.00000002.2184887619.0000022891A60000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000039.00000002.2517968191.00000232C0AF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 374 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      57.2.AgentPackageOsUpdates.exe.232c0cd0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        53.2.AgentPackageTicketing.exe.21aa3780000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          53.2.AgentPackageTicketing.exe.21aa3780000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            53.0.AgentPackageTicketing.exe.21aa2f90000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              22.2.AgentPackageAgentInformation.exe.15de14c0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 9 entries

                                Sigma Signatures

                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2816, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 5480, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7420, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7456, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7420, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7456, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 5660, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 6640c9.rbf (copy)ReversingLabs: Detection: 23%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 23%
                                Multi AV Scanner detection for submitted file
                                Source: Infraccion-Multa.msiReversingLabs: Detection: 28%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C54BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,39_2_00007FFB02C54BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C54E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,39_2_00007FFB02C54E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C54DE0 CryptReleaseContext,39_2_00007FFB02C54DE0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: Binary string: gent\obj\Release\AteraAgent.pdbAgen source: AteraAgent.exe, 00000010.00000002.2242092164.000000E0585E9000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000027.00000002.2117074792.0000023E79F52000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2712915043.0000021AA37A2000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: System.IO.FileSystem.dll.28.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2116047669.0000023E792D2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll.28.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: System.Diagnostics.StackTrace.dll.28.dr
                                Source: Binary string: p:\Codeplex\CredentialManagement\Development\CredentialManagement\obj\Release\CredentialManagement.pdb source: CredentialManagement.dll.28.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: System.IO.FileSystem.dll.28.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: System.ComponentModel.dll.28.dr
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2583203795.00000232D9A82000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\TicketingTray\obj\Release\TicketingTray.pdb source: TicketingTrayTMP.exe.28.dr
                                Source: Binary string: t.pdbal source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.2307628363.00000244FB462000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.2307628363.00000244FB462000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2118201355.0000023E7A102000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2117074792.0000023E79F52000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\QRCoder\QRCoder\QRCoder\obj\Release\net40\QRCoder.pdb source: QRCoder.dll.28.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2740810722.00000208AF9D2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2740810722.00000208AF9D2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Infraccion-Multa.msi, 6640c2.msi.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll.28.dr
                                Source: Binary string: em.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000039.00000002.2583203795.00000232D9A82000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000027.00000002.2116047669.0000023E792D2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Repos\t2tWinFormAppBarLib\t2tWinFormAppBarLib\obj\Debug\t2tWinFormAppBarLib.pdb source: t2tWinFormAppBarLib.dll.28.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\RestartReminderNotification\obj\Release\RestartReminderNotification.pdb source: RestartReminderNotification.exe.28.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net45\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.16.dr
                                Source: Binary string: D:\a\QRCoder\QRCoder\QRCoder\obj\Release\net40\QRCoder.pdbSHA256 P. source: QRCoder.dll.28.dr
                                Source: Binary string: mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2585887796.00000232D9AF2000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.28.dr
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2601550486.00000232D9FC5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Deserialize7b6c7464-b6cf-439b-8c08-26b88674e5c1onitoring.pdbpdbing.pdb source: AgentPackageMonitoring.exe, 00000037.00000002.2655398589.000001CF6B7C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2692812059.00007FFB02E9C000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.1491210669.000001ECAE832000.00000002.00000001.01000000.00000012.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.2.dr, Pubnub.dll.49.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000E.00000002.1491210669.000001ECAE832000.00000002.00000001.01000000.00000012.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.2.dr, Pubnub.dll.49.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: System.Memory.dll.28.dr
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Infraccion-Multa.msi, 6640c2.msi.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: System.Diagnostics.StackTrace.dll.28.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: System.Memory.dll.28.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571873h14_2_00007FFAAB57172D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571FFFh14_2_00007FFAAB571FAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571A44h14_2_00007FFAAB571A2F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB594ECBh16_2_00007FFAAB594E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax16_2_00007FFAAB5E6CF3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB59227Bh16_2_00007FFAAB59225D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB574ECBh28_2_00007FFAAB574C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571873h28_2_00007FFAAB570C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571A44h28_2_00007FFAAB570C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571FFFh28_2_00007FFAAB570C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB57227Bh28_2_00007FFAAB570C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB58BDE2h28_2_00007FFAAB58BB88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB574ECBh28_2_00007FFAAB574DC8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFAAB571FFFh28_2_00007FFAAB571EB6

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 53.2.AgentPackageTicketing.exe.21aa3780000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 22.0.AgentPackageAgentInformation.exe.15de1040000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.9/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.0/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAEF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/20.9/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.3/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.2/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/27.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGETICKETING/30.2/AGENTPACKAGETICKETING.ZIP
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000006.00000002.1392754612.0000000004905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244807C5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805AB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE1A6F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892252000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E00581000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D4230000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.000002098059F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF004CE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF003AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000006.00000002.1392754612.0000000004905000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244807C5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805AB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004CB5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE1A6F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892252000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E00581000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D4230000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.000002098059F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF004CE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF003AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicer
                                Source: AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2766551156.000001DFC1ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2500498014.0000022CDA357000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, Pubnub.dll0.2.dr, QRCoder.dll.28.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB65F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73DF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB114000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB54F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB0ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897464000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897468000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB078000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933416029.0000015DFA315000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933416029.0000015DFA2BF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1933415725.000002825450D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2500498014.0000022CDA3BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3399000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageAgentInformation.exe, 00000018.00000002.1933415725.0000028254543000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                                Source: AteraAgent.exe, 00000010.00000002.2288124073.00000244F9BFB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2840252632.0000021ABC1BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/2
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Dig
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FADCE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2500498014.0000022CDA357000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, Pubnub.dll0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73DF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB114000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlf
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB0ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897464000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897468000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: System.Runtime.Serialization.Primitives.dll.28.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl6I
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlrtV
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crl
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7184000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73D7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB65F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73DF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB114000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB54F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl7
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl?A
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlB82F8
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlex
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlf
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/lb
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cs2.wpc.gammacdn.net
                                Source: AteraAgent.exe, 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 00000010.00000002.2296793931.00000244FADCE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.000002448029C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.comp
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C15A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gig-ai-prod-weur-0-app-v4-tag.westeurope.cloudapp.azure.com
                                Source: rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: QRCoder.dll.28.drString found in binary or memory: http://maps.google.com/maps?q=
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUy
                                Source: AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73DF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB114000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB078000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933416029.0000015DFA315000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933416029.0000015DFA2BF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1933415725.000002825450D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3380000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2500498014.0000022CDA3BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3399000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2500498014.0000022CDA357000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, Pubnub.dll0.2.dr, QRCoder.dll.28.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB0ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897464000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897468000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD4D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3688000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF33D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crll
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897442000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.000002448029C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480294000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB217000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C15A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://westeurope-5.in.applicationinsights.azure.com
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2116479281.0000023E79722000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.c
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB65F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.1493783437.000001ECC73DF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2306757085.00000244FB22D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2303594626.00000244FB114000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244800A3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244807C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480084000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244800A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallbackVers
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892093000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/5ea19671-d970-4e60-89b1-722649f3b810
                                Source: rundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000006.00000002.1392754612.0000000004926000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004CD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgent
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0044A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuH
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.orgp
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C162C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/X
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/pc
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com8
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA993D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9939000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA993D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2583203795.00000232D9A82000.00000002.00000001.01000000.00000036.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C155E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr, System.Diagnostics.DiagnosticSource.dll.16.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr, System.Diagnostics.DiagnosticSource.dll.16.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: System.Memory.dll.28.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: System.Memory.dll.28.dr, System.Runtime.CompilerServices.Unsafe.dll.28.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 00000010.00000002.2307628363.00000244FB462000.00000002.00000001.01000000.00000028.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://monitor.azure.com//.default
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2119202416.0000023E7A258000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.000002089743C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://profiler.monitor.azure.com/l
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/p
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/pc
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHb
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480578000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480294000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244800E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAx
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244800E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?qVuhOZ
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?qVuhOZTCW5
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?qVuhOZ
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAEF5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?qVuh
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?qVuhO
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip?qVuhOZT
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip?qVuhOZTCW
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip?qVu
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip?qVuhOZT
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip?q
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244800E6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exep
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD4C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0e930743-54d5-40de-b19a-46cd66679682
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.00000244803C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=18bacc81-cd6b-4861-a6f6-50b2da2188a0
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=20dd6e11-8f6e-49b9-a1d7-4eac9dd9b38d
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=80c798ac-64f4-4a1a-a2b4-52603b701f0f
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=91f521ab-133c-4096-a597-67655450aaf4
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a83ac249-f18b-4dba-8400-02a2a4eb8697
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/su
                                Source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADB5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/5ea19671-d970-4e60-89b1
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://rt.services.visualstudio.com/l
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/pc
                                Source: AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/&
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/p
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2120429636.0000023E7A384000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: QRCoder.dll.28.drString found in binary or memory: https://wa.me/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.co
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1575000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/pc
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/pc
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2119202416.0000023E7A258000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2133059733.00007FFB02DE4000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6640c2.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI466F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI49FA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61D8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6564.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65A3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F0.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69FA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6640c4.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6640c4.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CE5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6640c5.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF30D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF699.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA61.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA72.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID32.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2494.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI24A5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI268B.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI466F.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06DA00406_3_06DA0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_074C59A87_3_074C59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_074C50B87_3_074C50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_3_074C4D687_3_074C4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB57C92214_2_00007FFAAB57C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 14_2_00007FFAAB57BB7614_2_00007FFAAB57BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB5A1E9A16_2_00007FFAAB5A1E9A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB590D4216_2_00007FFAAB590D42
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB599AF216_2_00007FFAAB599AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59C5E016_2_00007FFAAB59C5E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59C5E016_2_00007FFAAB59C5E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB59C5E016_2_00007FFAAB59C5E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB5A337816_2_00007FFAAB5A3378
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7B318816_2_00007FFAAB7B3188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7A05F216_2_00007FFAAB7A05F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7964F216_2_00007FFAAB7964F2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7AAC7016_2_00007FFAAB7AAC70
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_071A71D019_3_071A71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_3_071A004019_3_071A0040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5B047D22_2_00007FFAAB5B047D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB59FA9422_2_00007FFAAB59FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5978D622_2_00007FFAAB5978D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5A100A22_2_00007FFAAB5A100A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB59868222_2_00007FFAAB598682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5912FB22_2_00007FFAAB5912FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5A10C022_2_00007FFAAB5A10C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB59BDB022_2_00007FFAAB59BDB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB58FA9424_2_00007FFAAB58FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5878D624_2_00007FFAAB5878D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB59100A24_2_00007FFAAB59100A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB58868224_2_00007FFAAB588682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5812FA24_2_00007FFAAB5812FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5910C024_2_00007FFAAB5910C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB58BD1024_2_00007FFAAB58BD10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FFAAB58182826_2_00007FFAAB581828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FFAAB5812FA26_2_00007FFAAB5812FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB570C5828_2_00007FFAAB570C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB579EDF28_2_00007FFAAB579EDF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB591FAD28_2_00007FFAAB591FAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB58CEA028_2_00007FFAAB58CEA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB593CD028_2_00007FFAAB593CD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB58CD8028_2_00007FFAAB58CD80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB581D8B28_2_00007FFAAB581D8B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB58943628_2_00007FFAAB589436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB58D3C828_2_00007FFAAB58D3C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB79DB9D28_2_00007FFAAB79DB9D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB79CA0D28_2_00007FFAAB79CA0D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB78693B28_2_00007FFAAB78693B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB78284A28_2_00007FFAAB78284A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB798DE828_2_00007FFAAB798DE8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB786E1728_2_00007FFAAB786E17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB786D4828_2_00007FFAAB786D48
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB79AC0828_2_00007FFAAB79AC08
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB794A1D28_2_00007FFAAB794A1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB79F90128_2_00007FFAAB79F901
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB790FF228_2_00007FFAAB790FF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB790ED328_2_00007FFAAB790ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB790EF228_2_00007FFAAB790EF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB793F2528_2_00007FFAAB793F25
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB793ED828_2_00007FFAAB793ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB790EB728_2_00007FFAAB790EB7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB79BD8128_2_00007FFAAB79BD81
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5889CE31_2_00007FFAAB5889CE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5ADEE331_2_00007FFAAB5ADEE3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB58CE0931_2_00007FFAAB58CE09
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB58C47F31_2_00007FFAAB58C47F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5812FA31_2_00007FFAAB5812FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5840F831_2_00007FFAAB5840F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB58183531_2_00007FFAAB581835
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB58977E31_2_00007FFAAB58977E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5A66B031_2_00007FFAAB5A66B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB595B3131_2_00007FFAAB595B31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFAAB5A009831_2_00007FFAAB5A0098
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB5A2CA037_2_00007FFAAB5A2CA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB585C6037_2_00007FFAAB585C60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB5817A037_2_00007FFAAB5817A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB59174D37_2_00007FFAAB59174D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB5984C037_2_00007FFAAB5984C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB58356837_2_00007FFAAB583568
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB5A1C2637_2_00007FFAAB5A1C26
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB59531837_2_00007FFAAB595318
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 37_2_00007FFAAB59528837_2_00007FFAAB595288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D720E039_2_00007FFB02D720E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D801E039_2_00007FFB02D801E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D7696039_2_00007FFB02D76960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CCB88039_2_00007FFB02CCB880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C6033039_2_00007FFB02C60330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CEA2F039_2_00007FFB02CEA2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D0831039_2_00007FFB02D08310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C6231039_2_00007FFB02C62310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE22B039_2_00007FFB02CE22B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CCC11039_2_00007FFB02CCC110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE40A039_2_00007FFB02CE40A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDA0C039_2_00007FFB02CDA0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CFC22039_2_00007FFB02CFC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CB224039_2_00007FFB02CB2240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C5273839_2_00007FFB02C52738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C5E72039_2_00007FFB02C5E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C5886039_2_00007FFB02C58860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D0686039_2_00007FFB02D06860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDA7E039_2_00007FFB02CDA7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4E80C39_2_00007FFB02C4E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D2659039_2_00007FFB02D26590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CFE59039_2_00007FFB02CFE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4A52439_2_00007FFB02C4A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CC455039_2_00007FFB02CC4550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C544DC39_2_00007FFB02C544DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C9051039_2_00007FFB02C90510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CA64A039_2_00007FFB02CA64A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D7C68039_2_00007FFB02D7C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CC060039_2_00007FFB02CC0600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D605D039_2_00007FFB02D605D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CFA5D039_2_00007FFB02CFA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C485D439_2_00007FFB02C485D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D7E5B039_2_00007FFB02D7E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C98B9039_2_00007FFB02C98B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CBCB5039_2_00007FFB02CBCB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D2AB0039_2_00007FFB02D2AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D74C8039_2_00007FFB02D74C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CECC0039_2_00007FFB02CECC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C9E99039_2_00007FFB02C9E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D3691039_2_00007FFB02D36910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C988A039_2_00007FFB02C988A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C428C039_2_00007FFB02C428C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C88A6039_2_00007FFB02C88A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C66A8039_2_00007FFB02C66A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D0AA7039_2_00007FFB02D0AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C48A3C39_2_00007FFB02C48A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C52F8C39_2_00007FFB02C52F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4CEA839_2_00007FFB02C4CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8902039_2_00007FFB02C89020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8AFB039_2_00007FFB02C8AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDEFD039_2_00007FFB02CDEFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D7CD6039_2_00007FFB02D7CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CC6D2039_2_00007FFB02CC6D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D08D2039_2_00007FFB02D08D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D90D3039_2_00007FFB02D90D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CB4D0039_2_00007FFB02CB4D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8ACD039_2_00007FFB02C8ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C56CC039_2_00007FFB02C56CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C6CE7039_2_00007FFB02C6CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CA0E3039_2_00007FFB02CA0E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C44DB439_2_00007FFB02C44DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDB37039_2_00007FFB02CDB370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDD35039_2_00007FFB02CDD350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4F34039_2_00007FFB02C4F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4347439_2_00007FFB02C43474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D1F3E039_2_00007FFB02D1F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C693D039_2_00007FFB02C693D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CD917039_2_00007FFB02CD9170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D750F039_2_00007FFB02D750F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4D28439_2_00007FFB02C4D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CBF22039_2_00007FFB02CBF220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D5320039_2_00007FFB02D53200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C411B039_2_00007FFB02C411B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CAF1B039_2_00007FFB02CAF1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8D77039_2_00007FFB02C8D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D8F79039_2_00007FFB02D8F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C9F78039_2_00007FFB02C9F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE772039_2_00007FFB02CE7720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CB36E039_2_00007FFB02CB36E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D356D039_2_00007FFB02D356D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C5D83039_2_00007FFB02C5D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D9184039_2_00007FFB02D91840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4955C39_2_00007FFB02C4955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C474B039_2_00007FFB02C474B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE169039_2_00007FFB02CE1690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4D63439_2_00007FFB02C4D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8F63039_2_00007FFB02C8F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C5564039_2_00007FFB02C55640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CAB64739_2_00007FFB02CAB647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D2DB8039_2_00007FFB02D2DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CA7B3039_2_00007FFB02CA7B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE3AF039_2_00007FFB02CE3AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C75AD039_2_00007FFB02C75AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D83C2039_2_00007FFB02D83C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C6BBE039_2_00007FFB02C6BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C89BA039_2_00007FFB02C89BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C6D91039_2_00007FFB02C6D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CA18DA39_2_00007FFB02CA18DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C79A6039_2_00007FFB02C79A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CF7A6039_2_00007FFB02CF7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CAB9F039_2_00007FFB02CAB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C57F3039_2_00007FFB02C57F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C79F3039_2_00007FFB02C79F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CD5F2039_2_00007FFB02CD5F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C9FEF039_2_00007FFB02C9FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CC3EB039_2_00007FFB02CC3EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CE7EA039_2_00007FFB02CE7EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CF5EA039_2_00007FFB02CF5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02CDFED039_2_00007FFB02CDFED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C47EC039_2_00007FFB02C47EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D17D2039_2_00007FFB02D17D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C89CF039_2_00007FFB02C89CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D1DCC039_2_00007FFB02D1DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02D2BCD039_2_00007FFB02D2BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C87E7039_2_00007FFB02C87E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C55E5039_2_00007FFB02C55E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C73E1039_2_00007FFB02C73E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB56ED6D39_2_00007FFAAB56ED6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB565D0F39_2_00007FFAAB565D0F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB56BD6139_2_00007FFAAB56BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB56D12639_2_00007FFAAB56D126
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB7832A639_2_00007FFAAB7832A6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB782BCF39_2_00007FFAAB782BCF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB78EFA839_2_00007FFAAB78EFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB7824E839_2_00007FFAAB7824E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB893C7139_2_00007FFAAB893C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB8912CF39_2_00007FFAAB8912CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB894D1739_2_00007FFAAB894D17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB890CB039_2_00007FFAAB890CB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB8912FB39_2_00007FFAAB8912FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB88950539_2_00007FFAAB889505
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB9535A239_2_00007FFAAB9535A2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAAB950B7739_2_00007FFAAB950B77
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABAFC86C39_2_00007FFAABAFC86C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABAF9C6539_2_00007FFAABAF9C65
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABB0004C39_2_00007FFAABB0004C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABAF6A6739_2_00007FFAABAF6A67
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABAF04C939_2_00007FFAABAF04C9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABB0148A39_2_00007FFAABB0148A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABB000D039_2_00007FFAABB000D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFAABB014FA39_2_00007FFAABB014FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB02D906B0 appears 145 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB02D91B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFB02D91D30 appears 114 times
                                Source: Infraccion-Multa.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Infraccion-Multa.msi
                                Source: Infraccion-Multa.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs Infraccion-Multa.msi
                                Source: Infraccion-Multa.msiBinary or memory string: OriginalFilenamewixca.dll\ vs Infraccion-Multa.msi
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll0.2.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll0.2.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll0.2.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.2.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@98/396@0/12
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7524:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3088:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6796:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:432:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1748:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2992:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6432:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7516:120:WilError_03
                                Source: C:\Windows\SysWOW64\rundll32.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7996:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5640:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7956:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6724:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4808:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6520:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7440:120:WilError_03
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFC168934D7CAB4E4C.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI466F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6702921 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: cscript.exe, 00000030.00000002.2345875231.000001262BFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ID, ApplicationId, EvaluationEndDate, PartialProductKey, Description, Name, LicenseStatus, LicenseStatusReason, ProductKeyID, GracePeriodRemaining, KeyManagementServiceLookupDomain, VLActivationType, ADActivationObjectName, ADActivationObjectDN, ADActivationCsvlkPid, ADActivationCsvlkSkuId, VLActivationTypeEnabled, DiscoveredKeyManagementServiceMachineName, DiscoveredKeyManagementServiceMachinePort, VLActivationInterval, VLRenewalInterval, KeyManagementServiceMachine, KeyManagementServicePort, ProductKeyID2 FROM ;
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;@X9
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2120534612.0000023E7AEF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','idx_AlertedEvents_V2_LogName','AlertedEvents_V2',#1, NULL,Value TEXT NOT NULL);u1
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2120534612.0000023E7AEF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO 'main'.sqlite_master VALUES('index','idx_AlertedEvents_V2_LogName','AlertedEvents_V2',#1, NULL,Value TEXT NOT NULL);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E005B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D4267000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF00532000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF003DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0044A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0044A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E005B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D4267000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF006F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;
                                Source: Infraccion-Multa.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: Infraccion-Multa.msiReversingLabs: Detection: 28%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Infraccion-Multa.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6591223B205D707BA6F325A467EDBE08
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI466F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6702921 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI49FA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6703640 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI61D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6709734 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ibarra3168@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ODucuIAD" /AgentId="5ea19671-d970-4e60-89b1-722649f3b810"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI8CE5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6720781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D91E01284641A82F51BC37F15E50E5A2 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF30D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6812500 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6591223B205D707BA6F325A467EDBE08Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ibarra3168@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ODucuIAD" /AgentId="5ea19671-d970-4e60-89b1-722649f3b810"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D91E01284641A82F51BC37F15E50E5A2 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI466F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6702921 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI49FA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6703640 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI61D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6709734 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI8CE5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6720781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF30D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6812500 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: Infraccion-Multa.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: gent\obj\Release\AteraAgent.pdbAgen source: AteraAgent.exe, 00000010.00000002.2242092164.000000E0585E9000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000027.00000002.2117074792.0000023E79F52000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2712915043.0000021AA37A2000.00000002.00000001.01000000.0000003F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: System.IO.FileSystem.dll.28.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2116047669.0000023E792D2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb5` source: Atera.AgentPackages.CommonLib.dll.28.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: System.Diagnostics.StackTrace.dll.28.dr
                                Source: Binary string: p:\Codeplex\CredentialManagement\Development\CredentialManagement\obj\Release\CredentialManagement.pdb source: CredentialManagement.dll.28.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: System.IO.FileSystem.dll.28.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: System.ComponentModel.dll.28.dr
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2583203795.00000232D9A82000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: D:\a\1\s\TicketingTray\obj\Release\TicketingTray.pdb source: TicketingTrayTMP.exe.28.dr
                                Source: Binary string: t.pdbal source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000010.00000002.2307628363.00000244FB462000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000010.00000002.2307628363.00000244FB462000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2118201355.0000023E7A102000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2117074792.0000023E79F52000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\QRCoder\QRCoder\QRCoder\obj\Release\net40\QRCoder.pdb source: QRCoder.dll.28.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2740810722.00000208AF9D2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, System.ValueTuple.dll.16.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2740810722.00000208AF9D2000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Infraccion-Multa.msi, 6640c2.msi.2.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll.28.dr
                                Source: Binary string: em.pdb source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF36EB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000039.00000002.2583203795.00000232D9A82000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000027.00000002.2116047669.0000023E792D2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Repos\t2tWinFormAppBarLib\t2tWinFormAppBarLib\obj\Debug\t2tWinFormAppBarLib.pdb source: t2tWinFormAppBarLib.dll.28.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\RestartReminderNotification\obj\Release\RestartReminderNotification.pdb source: RestartReminderNotification.exe.28.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Diagnostics.DiagnosticSource\net45\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll.16.dr
                                Source: Binary string: D:\a\QRCoder\QRCoder\QRCoder\obj\Release\net40\QRCoder.pdbSHA256 P. source: QRCoder.dll.28.dr
                                Source: Binary string: mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2585887796.00000232D9AF2000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: System.Runtime.Serialization.Primitives.dll.28.dr
                                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2601550486.00000232D9FC5000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Deserialize7b6c7464-b6cf-439b-8c08-26b88674e5c1onitoring.pdbpdbing.pdb source: AgentPackageMonitoring.exe, 00000037.00000002.2655398589.000001CF6B7C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2132653310.00007FFB02D9A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2692812059.00007FFB02E9C000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.1491210669.000001ECAE832000.00000002.00000001.01000000.00000012.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.2.dr, Pubnub.dll.49.dr
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000E.00000002.1491210669.000001ECAE832000.00000002.00000001.01000000.00000012.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2759059438.00000208AFE62000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.2.dr, Pubnub.dll.49.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: System.Memory.dll.28.dr
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Infraccion-Multa.msi, 6640c2.msi.2.dr
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: System.Diagnostics.StackTrace.dll.28.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: System.Memory.dll.28.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp
                                Source: BouncyCastle.Crypto.dll.2.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C51910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,39_2_00007FFB02C51910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB57B8 push es; ret 6_3_06CB5840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB246F push esi; retf 0006h6_3_06CB247A
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB23A9 push ebp; retf 0006h6_3_06CB23AA
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB4E90 push es; ret 6_3_06CB4EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB58D1 push es; ret 6_3_06CB58E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB58F0 push es; ret 6_3_06CB5900
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB58B0 push es; ret 6_3_06CB58C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06CB5910 push es; ret 6_3_06CB5920
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_3_06DA84A1 push es; ret 6_3_06DA84B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79E04C push esi; ret 16_2_00007FFAAB79DF47
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB790C64 pushad ; iretd 16_2_00007FFAAB790C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7AAB78 push eax; retf 16_2_00007FFAAB7AAB81
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7AAB84 push eax; retf 16_2_00007FFAAB7AAB81
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79AA75 pushad ; iretd 16_2_00007FFAAB79AA77
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79E9C0 push esi; ret 16_2_00007FFAAB79DF47
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB7AA9FA push eax; retf 16_2_00007FFAAB7AAB81
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79E0EC push esi; ret 16_2_00007FFAAB79DF47
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79E0EC push ebx; iretd 16_2_00007FFAAB79E13A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB79DF2D push esi; ret 16_2_00007FFAAB79DF47
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 16_2_00007FFAAB798DA1 push eax; ret 16_2_00007FFAAB798DC4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFAAB5900BD pushad ; iretd 22_2_00007FFAAB5900C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFAAB5800BD pushad ; iretd 24_2_00007FFAAB5800C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 26_2_00007FFAAB5800BD pushad ; iretd 26_2_00007FFAAB5800C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB586BD3 pushad ; iretd 28_2_00007FFAAB586C19
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB5825F2 push eax; iretd 28_2_00007FFAAB582671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB57A658 push eax; retf 28_2_00007FFAAB57A669
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB7853C1 push eax; ret 28_2_00007FFAAB7853E4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB785BF1 push eax; ret 28_2_00007FFAAB785C14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB78BAE8 push eax; ret 28_2_00007FFAAB78BB14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB7A5979 pushfd ; retf 28_2_00007FFAAB7A5991
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 28_2_00007FFAAB783938 push edi; retf 28_2_00007FFAAB7859D6

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640c9.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640ce.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61D8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640cc.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID32.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640cd.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640cf.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69FA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CE5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI24A5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI268B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65A3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 6640cb.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA72.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI49FA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF30D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF699.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI466F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2C97.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA72.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25CF.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI268B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF30D.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF699.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID81.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI49FA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI68F0.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI31D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69FA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI61D8.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CE5.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI466F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID32.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2C97.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI24A5.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI65A3.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI61D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,39_2_00007FFB02C4A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1ECAE730000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1ECC6900000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 244F9EE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 244FA520000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15DE1470000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15DF9940000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2823B6B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 28253C60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 21544240000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2155C640000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 22CDA4A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 22CF2CC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22891940000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 228AA000000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1DFA8DC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1DFC1780000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 23E79140000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 23E79780000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2D4D39C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2D4EBCB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 209F2580000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 209F2A40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 208970D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 208AF310000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2A428470000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2A440B90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 21AA33A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 21ABB8F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1CF698E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1CF69FA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 232C0BA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 232D93C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599426
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599301
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596942
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596155
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595919
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598917
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598696
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598239
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598115
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597993
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597653
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597509
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597280
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597060
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596939
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596794
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596670
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595686
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599522
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599420
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599193
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597803
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597467
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597353
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597113
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596248
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596119
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595989
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595710
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595154
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 290078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6981
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2805
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7357
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2182
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 5310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 5600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 4215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2322
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3774
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1539
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1541
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 5895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 3913
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 6641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3130
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 5761
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 3456
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI31D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI49FA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6640ce.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61D8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID32.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6640cc.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6640cd.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI25CF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6640cf.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI68F0.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI466F.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI69FA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CE5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI24A5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61D8.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI268B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF30D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID81.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI65A3.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 6640cb.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA72.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI49FA.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI61D8.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CE5.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF30D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF699.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF30D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI466F.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI466F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2C97.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7256Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7672Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7860Thread sleep count: 6981 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7860Thread sleep count: 2805 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep count: 40 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep time: -36893488147419080s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7176Thread sleep time: -230000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 8120Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2176Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7192Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4268Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1988Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7344Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3132Thread sleep count: 7357 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3132Thread sleep count: 2182 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4864Thread sleep count: 38 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4864Thread sleep time: -35048813740048126s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5144Thread sleep time: -230000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3744Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5960Thread sleep time: -270000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5336Thread sleep count: 5310 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3924Thread sleep count: 4561 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -23980767295822402s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599544s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599426s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599301s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -599062s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598952s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598730s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598295s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -598076s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596942s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596702s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596483s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596155s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -596046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -595919s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -595812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -595703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4196Thread sleep time: -595593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep count: 40 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -36893488147419080s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7804Thread sleep count: 5600 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599749s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599634s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7804Thread sleep count: 4215 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -599031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598917s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598696s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598239s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -598115s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597993s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597882s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597653s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597509s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597390s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597280s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597171s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -597060s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596939s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596794s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596670s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -596015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595796s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595686s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595249s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -595031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594921s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594593s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594482s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -594093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -593984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7760Thread sleep time: -593875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4912Thread sleep count: 3852 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6700Thread sleep time: -20291418481080494s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6700Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5116Thread sleep count: 2322 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2144Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8108Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7160Thread sleep count: 3774 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7160Thread sleep count: 1539 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5680Thread sleep time: -12912720851596678s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5680Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7388Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 720Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5760Thread sleep count: 1541 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5820Thread sleep count: 100 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5328Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3044Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 5968Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6664Thread sleep count: 5895 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -23980767295822402s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 6664Thread sleep count: 3913 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599522s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599420s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599193s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -599031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -598031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597803s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597577s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597467s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597353s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597230s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597113s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -597000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596551s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596248s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -596119s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595989s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595710s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595590s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595481s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595154s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -595046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594937s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594718s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594609s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -594031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5776Thread sleep time: -593922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6048Thread sleep count: 6641 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6048Thread sleep count: 3130 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5112Thread sleep time: -24903104499507879s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5112Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 2552Thread sleep count: 5761 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 6756Thread sleep time: -25825441703193356s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 4348Thread sleep count: 3456 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 6756Thread sleep time: -290078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 2176Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599426
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599301
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599062
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598952
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598076
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596942
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596483
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596155
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595919
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599749
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598917
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598696
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598239
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598115
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597993
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597653
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597509
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597280
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597171
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597060
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596939
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596794
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596670
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595686
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594593
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594482
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599522
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599420
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599193
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597803
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597577
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597467
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597353
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597113
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596248
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596119
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595989
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595710
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595481
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595154
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594609
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 290078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2443302908.00000209F3461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000029.00000002.2695498442.0000027118813000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DC
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195115514.00000228AA9ED000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000029.00000002.2695819165.000002711882B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware"
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2206622464.00000228AAC1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2194702358.00000228AA9C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB078000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2286854496.000002D4EC402000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFB58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^G
                                Source: AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFB58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2443302908.00000209F3461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2183822521.0000022891980000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2428332429.00000209F2289000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC7159000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2428332429.00000209F2289000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedlp
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe.16.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: rundll32.exe, 00000013.00000002.1566817664.0000000002F24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: Atera.AgentPackages.CommonLib.dll.28.drBinary or memory string: vmware
                                Source: svchost.exe, 00000029.00000002.2695938974.000002711884B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2434486924.00000209F3288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^G
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2193535658.00000228AA930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped[]
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2651916021.000001CF6A881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, IncP2
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12G
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2184887619.0000022891A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedX
                                Source: svchost.exe, 00000029.00000002.2699737179.0000027118D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^G
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2183822521.0000022891A0B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2651916021.000001CF6A881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIEX6
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2194702358.00000228AA9C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.2G
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000029.00000002.2696366309.000002711887B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000029.00000002.2695938974.000002711884B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual R
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2434486924.00000209F3288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedL
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2G
                                Source: AteraAgent.exe, 0000000E.00000002.1493058761.000001ECC70D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%\System32\fveui.dll,-844o
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
                                Source: svchost.exe, 00000029.00000002.2695938974.000002711884B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dnSS @
                                Source: AteraAgent.exe, 0000001C.00000002.2608669984.0000022CF3399000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM2G
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2194200396.00000228AA97E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped^NQ
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2651916021.000001CF6A881000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: svchost.exe, 00000003.00000002.2695940392.000001CE43C2B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1391880423.0000000002BC5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933416029.0000015DFA2BF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1933415725.00000282544C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2196212355.00000228AAAD9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2766551156.000001DFC1E5F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2117333113.0000023E7A031000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2441045970.00000209F3392000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2748240282.00000208AFB58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: svchost.exe, 00000029.00000002.2697769832.00000271188C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2183822521.0000022891980000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195115514.00000228AA9ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AteraAgent.exe, 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2115675181.0000023E79182000.00000002.00000001.01000000.0000001F.sdmp, Atera.AgentPackages.CommonLib.dll.28.drBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AteraAgent.exe, 00000010.00000002.2296793931.00000244FAD4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2443302908.00000209F3461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}"6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2195013149.00000228AA9E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000029.00000002.2695498442.0000027118813000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C298128B8C02A71A2474AEB5F3DC0VMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc2.0
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: svchost.exe, 00000029.00000002.2697769832.00000271188C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SetPropValue.Manufacturer("VMware");
                                Source: AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2438530742.00000209F330F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdowne(O
                                Source: AgentPackageAgentInformation.exe, 0000001F.00000002.2183822521.0000022891A0B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000029.00000002.2697769832.00000271188C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000h
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C47B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,39_2_00007FFB02C47B4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,39_2_00007FFB02C8AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C51910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,39_2_00007FFB02C51910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,39_2_00007FFB02C8AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00007FFB02C4ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ibarra3168@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ODucuIAD" /AgentId="5ea19671-d970-4e60-89b1-722649f3b810"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000ODucuIAD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="ibarra3168@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000oducuiad" /agentid="5ea19671-d970-4e60-89b1-722649f3b810"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000oducuiad
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="ibarra3168@gmail.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000oducuiad" /agentid="5ea19671-d970-4e60-89b1-722649f3b810"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000oducuiad
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000oducuiad
                                Source: t2tWinFormAppBarLib.dll.28.drBinary or memory string: Progman!SHELLDLL_DefViewYLeft: {0}, Top: {1}, Right: {2}, Bottom: {3}%PreFilterMessage())Calling Set Position
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4739C cpuid 39_2_00007FFB02C4739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C4CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,39_2_00007FFB02C4CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C485D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,39_2_00007FFB02C485D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 57.2.AgentPackageOsUpdates.exe.232c0cd0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageTicketing.exe.21aa3780000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.0.AgentPackageTicketing.exe.21aa2f90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 22.2.AgentPackageAgentInformation.exe.15de14c0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 39.0.AgentPackageMonitoring.exe.23e78db0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 22.0.AgentPackageAgentInformation.exe.15de1040000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageTicketing.exe.21aa37a0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 39.2.AgentPackageMonitoring.exe.23e79180000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.0.AgentPackageUpgradeAgent.exe.20896910000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.0.AgentPackageSTRemote.exe.1dfa8b70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 14.0.AteraAgent.exe.1ecacc20000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.0.AgentPackageOsUpdates.exe.232c0930000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.00000209805EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2295288201.00000244F9F10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB50E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2184887619.0000022891A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2517968191.00000232C0AF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.000002098059F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1501466468.00007FFAAB604000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2653786616.000001CF6B632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500498014.0000022CDA341000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE98C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114702922.0000023E78FB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2439191857.00000209F332D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2330361315.00007FFB02DE0000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2427657808.00000209F2160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.00000228921FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2286854496.000002D4EC383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500498014.0000022CDA36E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2344871020.000002A428515000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C19BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2240920259.000000E0570F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1935837164.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2712915043.0000021AA37A2000.00000002.00000001.01000000.0000003F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2715321995.0000021AA3952000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1948149338.00000215446B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2654733713.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2301079436.00000244FB0C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF0028D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2255590261.000002D4D3CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2292174769.000002D4ED52F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2787070847.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA30B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.0000020896A2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF006EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C15D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2046966892.0000019CD71B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2194932088.00000228AA9D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2109546115.0000023E00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2116294333.0000023E79330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2346957319.000001C373890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2288124073.00000244F9B8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2608669984.0000022CF3464000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2748240282.00000208AFB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2632890840.000001CF697F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2183822521.00000228919C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB518000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114702922.0000023E78F7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDAEF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2700723829.000001DFA8DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1931526964.0000015DE1450000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2710720925.000001DFA9781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2748240282.00000208AFBDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2748240282.00000208AFBA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2183822521.000002289199C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2647061264.000001CF6A7B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2585887796.00000232D9AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000003.2049099082.00000142B2127000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1947301334.0000021544036000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2631638800.000001CF69640000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C162C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2632890840.000001CF697B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2348029883.000002A428760000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2708999474.000002089747D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000003.2545087834.0000021009770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500498014.0000022CDA338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2653581424.000001CF6B427000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2632890840.000001CF6978B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2504104161.0000022CDA610000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B3EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2049485693.00000142B2100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2498081213.0000003F352F0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAEA66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1490390918.000001ECAD0E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2281878514.000001C3738B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2443302908.00000209F348B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499323416.0000003F354F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.0000020980047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF00532000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251712890.000002D4D32F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.00000208969A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.00000208969EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2710720925.000001DFA9883000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2655398589.000001CF6B7C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185262488.0000022891BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B3B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000003.2342185102.000001262B543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF006F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1947301334.0000021543FB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499088312.0000003F353F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0C02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2706912193.0000020896EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.0000022892229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2193908329.00000228AA954000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF00283000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003B.00000003.2475440163.0000021009837000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2183822521.0000022891980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2693629738.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2183822521.00000228919BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114432540.0000023E78EA0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2346643600.000001C373603000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2608669984.0000022CF33CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2491178901.0000003F336F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2631918416.000001CF69770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2291303812.000002D4ED2A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2693345585.00007FFB02EB9000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C1607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2183822521.0000022891A0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2344871020.000002A4284CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000003.2045547001.0000019CD71E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2452020258.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244802FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2288124073.00000244F9B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500498014.0000022CDA330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA3096000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2748240282.00000208AFB58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2288124073.00000244F9BFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1932095576.000002823BCA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480084000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2766551156.000001DFC1E5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2292408482.00000244F9C70000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF3764000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2346643600.000001C3735EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2344707904.000001262B510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.00000228925E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499774173.0000003F357F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2700723829.000001DFA8E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C155E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0C9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2049708275.00000142B23E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2348262212.000002A428C13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2585887796.00000232D9AF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500353718.0000022CDA200000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2120534612.0000023E7AEF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.00000208969AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1931857757.000002823B770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2710720925.000001DFA97FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.0000020980073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C1554000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1947301334.0000021543FB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2428332429.00000209F2289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA30FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1948149338.00000215446C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.0000020980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB516000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2700723829.000001DFA8E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2344871020.000002A428490000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE9B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2193535658.00000228AA930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2109546115.0000023E005B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAEA7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB65F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C13C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1932095576.000002823BCE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2301079436.00000244FB0AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDAD2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C19AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1931975649.0000015DE1941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2711398337.0000021AA33E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2344871020.000002A4284AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF006AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2632890840.000001CF697AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.0000022892093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB54F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2195115514.00000228AA9ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2120503047.0000023E7ACF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1947977774.0000021544250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1932095576.000002823BCD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244803C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.0000022892163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000033.00000002.2348262212.000002A428B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1493737340.000001ECC72B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB17C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1501992693.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2303594626.00000244FB0ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2115675181.0000023E79182000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251712890.000002D4D3374000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B436000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2693864394.000000094D513000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACDB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1933415725.00000282544C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000003.2342913944.000001262B544000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2708999474.0000020897569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA30BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0C0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251712890.000002D4D3335000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000003.2346269765.000001C373607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2608669984.0000022CF3399000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.00000208969E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF003DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2329151775.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB512000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2500498014.0000022CDA3BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2212392989.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B3B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000003.1978769069.00000142B2400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251425774.000002D4D32A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1930465528.0000015DE117D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1935804433.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2698696592.000001DFA8D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF3688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2286854496.000002D4EC402000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2700723829.000001DFA8DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF006BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2693903632.0000002D9F560000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2428332429.00000209F2200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2694455413.00000061556F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA307C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE9B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499472432.0000003F355F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244803B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114702922.0000023E78F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2654249143.000001CF6B649000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB190000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF0044A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2120719229.0000023E7AF06000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0BCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2642284571.000001CF69A60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2049485693.00000142B210B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2646544993.000001CF6A7A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2706502188.0000020896CE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2117333113.0000023E79FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0C4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2117333113.0000023E7A031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2288124073.00000244F9B78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.00000209805E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2049485693.00000142B2123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251712890.000002D4D32F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2608669984.0000022CF33E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1488317441.000001ECACD4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114702922.0000023E78FB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2840252632.0000021ABC1FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2114702922.0000023E78FFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2653986357.000001CF6B635000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2254306094.000002D4D3550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2251712890.000002D4D332B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2428332429.00000209F223C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2700828671.0000021AA3070000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2428332429.00000209F221B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1930465528.0000015DE10F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499918187.0000003F358F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2518593398.00000232C0BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2697855430.0000020896A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1947301334.0000021543FEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000E.00000002.1492267116.000001ECAEA32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDB1B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2047374090.0000019CD71E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B3CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2132948601.00007FFB02DD9000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2499622561.0000003F356F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2631918416.000001CF69779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1931975649.0000015DE19B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1930465528.0000015DE1131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.1948149338.0000021544641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2346643600.000001C3735E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1930670845.000002823B3F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.1930465528.0000015DE1133000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.2344873609.000001262B544000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2618399069.0000022CF372E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1932095576.000002823BC61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2255590261.000002D4D4267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2527720679.00000232C1682000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2255590261.000002D4D3CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5428, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7204, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7340, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7596, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7808, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8044, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 1860, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2380, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2860, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7340, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7568, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 2816, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 5480, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7960, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 7856, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 7432, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6076, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 5996, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 2684, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 4216, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 1368, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 3008, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 2312, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 2724, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4472, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 644, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3C9EDA7385DB5313.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8A7712CC4AE893DF.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF528258350F0B1D00.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4765DD586EC322CA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF84FB0B0A21BF328B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF904BDEEE192733B7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2494.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC168934D7CAB4E4C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6640c8.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF330B201BF0755807.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5E7EB2916F860181.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9DBD3FBDDA378897.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI6564.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6640c3.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6640d0.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4BC2DB7B878D0352.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFF916F8E542E7C7E.TMP, type: DROPPED
                                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7BD736307C5033B0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDA32A04F2E009779.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF4E8FE80C7797540.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE845B009CBBBBBAE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF45F41F117CAD3B03.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0BD6765B203B669B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA61.tmp, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 39_2_00007FFB02C8B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,39_2_00007FFB02C8B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		641
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		31
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		31
                                Windows Service                                		112
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager2
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS275
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials781
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync12
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem371
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt371
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1567497 Sample: Infraccion-Multa.msi Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 180 Multi AV Scanner detection for dropped file 2->180 182 Multi AV Scanner detection for submitted file 2->182 184 Yara detected AteraAgent 2->184 186 8 other signatures 2->186 10 msiexec.exe 107 102 2->10         started        13 AteraAgent.exe 2->13         started        17 AgentPackageUpgradeAgent.exe 2->17         started        19 4 other processes 2->19 process3 dnsIp4 122 C:\Windows\Installer\MSIF699.tmp, PE32 10->122 dropped 124 C:\Windows\Installer\MSIF30D.tmp, PE32 10->124 dropped 126 C:\Windows\Installer\MSI8CE5.tmp, PE32 10->126 dropped 134 59 other files (50 malicious) 10->134 dropped 21 msiexec.exe 10->21         started        23 AteraAgent.exe 10->23         started        28 msiexec.exe 10->28         started        30 msiexec.exe 10->30         started        168 108.158.75.46 AMAZON-02US United States 13->168 170 13.232.67.198 AMAZON-02US United States 13->170 128 C:\...128ewtonsoft.Json.dll, PE32 13->128 dropped 130 C:\...\Atera.AgentPackage.Common.dll, PE32 13->130 dropped 132 C:\...\AgentPackageSTRemote.exe, PE32 13->132 dropped 136 27 other malicious files 13->136 dropped 202 Creates files in the system32 config directory 13->202 204 Reads the Security eventlog 13->204 206 Reads the System eventlog 13->206 32 AgentPackageAgentInformation.exe 13->32         started        34 AgentPackageMonitoring.exe 13->34         started        36 AgentPackageSTRemote.exe 13->36         started        40 4 other processes 13->40 38 conhost.exe 17->38         started        172 40.81.94.65 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->172 file5 signatures6 process7 dnsIp8 42 AteraAgent.exe 21->42         started        47 rundll32.exe 21->47         started        57 3 other processes 21->57 156 199.232.210.172 FASTLYUS United States 23->156 158 192.229.221.95 EDGECASTUS United States 23->158 116 C:\Windows\System32\InstallUtil.InstallLog, Unicode 23->116 dropped 118 C:\...\AteraAgent.InstallLog, Unicode 23->118 dropped 192 Creates files in the system32 config directory 23->192 194 Reads the Security eventlog 23->194 196 Reads the System eventlog 23->196 49 rundll32.exe 28->49         started        59 2 other processes 30->59 51 conhost.exe 32->51         started        53 conhost.exe 34->53         started        160 52.223.39.232 AMAZONEXPANSIONGB United States 36->160 162 13.227.8.46 AMAZON-02US United States 36->162 120 C:\Windows\Temp\SplashtopStreamer.exe, PE32 36->120 dropped 55 conhost.exe 36->55         started        61 5 other processes 40->61 file9 signatures10 process11 dnsIp12 164 108.158.75.12 AMAZON-02US United States 42->164 148 166 other malicious files 42->148 dropped 198 Installs Task Scheduler Managed Wrapper 42->198 63 AgentPackageUpgradeAgent.exe 42->63         started        67 AgentPackageMonitoring.exe 42->67         started        70 AgentPackageOsUpdates.exe 42->70         started        82 4 other processes 42->82 138 C:\...\AlphaControlAgentInstallation.dll, PE32 47->138 dropped 150 3 other files (none is malicious) 47->150 dropped 200 System process connects to network (likely due to code injection or exploit) 47->200 140 C:\...\AlphaControlAgentInstallation.dll, PE32 49->140 dropped 152 3 other files (none is malicious) 49->152 dropped 166 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 57->166 142 C:\...\AlphaControlAgentInstallation.dll, PE32 57->142 dropped 144 C:\...\AlphaControlAgentInstallation.dll, PE32 57->144 dropped 146 C:\...\AlphaControlAgentInstallation.dll, PE32 57->146 dropped 154 9 other files (none is malicious) 57->154 dropped 72 conhost.exe 59->72         started        74 net1.exe 59->74         started        76 conhost.exe 59->76         started        78 conhost.exe 61->78         started        80 cscript.exe 61->80         started        file13 signatures14 process15 dnsIp16 174 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->174 104 C:\...\System.ValueTuple.dll, PE32 63->104 dropped 106 C:\Program Files (x86)\...\Pubnub.dll, PE32 63->106 dropped 108 C:\...108ewtonsoft.Json.dll, PE32 63->108 dropped 114 4 other malicious files 63->114 dropped 84 conhost.exe 63->84         started        86 msiexec.exe 63->86         started        110 C:\Program Files (x86)\...\log.txt, ASCII 67->110 dropped 188 Queries disk data (e.g. SMART data) 67->188 88 conhost.exe 67->88         started        176 20.50.88.227 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 70->176 190 Creates files in the system32 config directory 70->190 90 conhost.exe 70->90         started        178 152.199.23.209 EDGECASTUS United States 82->178 112 C:\...\TicketingTray.exe (copy), PE32 82->112 dropped 92 cmd.exe 82->92         started        94 conhost.exe 82->94         started        96 conhost.exe 82->96         started        98 2 other processes 82->98 file17 signatures18 process19 process20 100 conhost.exe 92->100         started        102 cscript.exe 92->102         started       

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Infraccion-Multa.msi29%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                6640c9.rbf (copy)24%ReversingLabsWin32.Trojan.Atera
                                6640cb.rbf (copy)0%ReversingLabs
                                6640cc.rbf (copy)0%ReversingLabs
                                6640cd.rbf (copy)0%ReversingLabs
                                6640ce.rbf (copy)0%ReversingLabs
                                6640cf.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe24%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.ziphAteraAgent.exe, 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://monitor.azure.com//.defaultAgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpfalse
                                    https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGETICKETING/30.2/AGENTPACKAGETICKETING.ZIPAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://schemas.datacontract.orgAteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip?qVuAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000027.00000002.2119202416.0000023E7A258000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpfalse
                                                  https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, AgentPackageAgentInformation.exe.16.drfalse
                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?qVuhOAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=80c798ac-64f4-4a1a-a2b4-52603b701f0fAteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://agent-api.atera.com/Production/Agent/thresholds/5ea19671-d970-4e60-89b1-722649f3b810AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                  http://wixtoolset.orgrundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, Infraccion-Multa.msi, 6640c2.msi.2.drfalse
                                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?qVuhOZAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000006.00000002.1392754612.0000000004926000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004CD6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?qVuhOZAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                http://acontrol.atera.com/AteraAgent.exe, 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://dc.services.visualstudio.com/pcAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://westeurope-5.in.applicationinsights.azure.coAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://westeurope-5.in.applicationinsights.azure.com/AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1575000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://westeurope-5.in.applicationinsights.azure.com/v2/trackAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD23000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        http://my.splashtop.comAgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9918000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/20.9/AGENTPACKAGEOSUPDATES.ZIPAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpfalse
                                                                                                              https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.2AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://dc.services.visualstudio.com/XAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C162C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageOsUpdates.exe, 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmpfalse
                                                                                                                    https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9939000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA993D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9918000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://dc.services.visualstudio.com/pAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        https://download.splashtop.comAgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA993D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://agent-api.atera.comAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000027.00000002.2119202416.0000023E7A258000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                https://dc.services.visualstudio.com/fAgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpfalse
                                                                                                                                  https://profiler.monitor.azure.com/AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://www.w3.ohAteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 00000010.00000002.2242589005.0000024480084000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480799000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        http://api.nuget.orgAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                            http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000027.00000002.2118441460.0000023E7A182000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                              https://ps.atera.com/aAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000027.00000002.2120107603.0000023E7A322000.00000002.00000001.01000000.00000026.sdmpfalse
                                                                                                                                                  https://ps.ateHbAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      http://www.digicert.cAteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a83ac249-f18b-4dba-8400-02a2a4eb8697AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          https://snapshot.monitor.azure.com/AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://my.splashtop.comAgentPackageSTRemote.exe, 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              http://cacerts.digicert.AteraAgent.exe, 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000025.00000002.2766551156.000001DFC1ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000027.00000002.2120429636.0000023E7A384000.00000002.00000001.01000000.00000026.sdmpfalse
                                                                                                                                                                    https://api.nuget.orgpAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000027.00000002.2116479281.0000023E79722000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://dc.services.visualstudio.com/v2/trackAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://api.nuget.orgAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip?qVuhOZTAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://maps.google.com/maps?q=QRCoder.dll.28.drfalse
                                                                                                                                                                                      https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAgentPackageSTRemote.exe, 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                                                                                                                                        https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelpAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://agent-api.PAgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://ps.atera.com/agentpackagesnetAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://www.w3.oAteraAgent.exe, 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitorAgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpfalse
                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformatiAteraAgent.exe, 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgentAgentPackageMonitoring.exe, 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000005.00000003.1329264986.000000000432A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1334354641.0000000004724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.1397903526.000000000506F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1508366399.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.1933075717.0000015DFA1C2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000027.00000002.2119277255.0000023E7A262000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 00000033.00000002.2350135963.000002A441320000.00000002.00000001.01000000.0000002B.sdmp, rundll32.exe, 0000003D.00000003.2423466752.00000000046BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0e930743-54d5-40de-b19a-46cd66679682AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://profiler.monitor.azure.com/pAgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000039.00000002.2527720679.00000232C167C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://ps.pndsnAteraAgent.exe, 00000010.00000002.2242589005.00000244803C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803C8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 00000027.00000002.2133059733.00007FFB02DE4000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                                                                                                                                                  https://profiler.monitor.azure.com/lAgentPackageOsUpdates.exe, 00000039.00000002.2596284621.00000232D9C52000.00000002.00000001.01000000.00000037.sdmpfalse
                                                                                                                                                                                                                    https://ps.atera.com/translations/TicketingTray/AgentPackageTicketing.exe, 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmpfalse
                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480102000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://api.nuHAgentPackageTicketing.exe, 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/guiCommAgentPackageAgentInformation.exe, 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip?qVuhOZTCWAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.3/AGENTPACKAGEPROGRAMMANAGEAteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAD23000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zipAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000010.00000002.2242589005.00000244803FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDAEF5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.227.8.46
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        152.199.23.209
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.232.67.198
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        40.81.94.65
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        108.158.75.46
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        199.232.210.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        108.158.75.12
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        52.223.39.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                                                        20.50.88.227
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1567497
                                                                                                                                                                                                                                        Start date and time:2024-12-03 16:26:16 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 1s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:62
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:Infraccion-Multa.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@98/396@0/12
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 66%
                                                                                                                                                                                                                                        • Number of executed functions: 435
                                                                                                                                                                                                                                        • Number of non-executed functions: 2
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 1860 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 2380 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 2860 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 7960 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7340 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7596 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7808 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 5428 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7204 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7340 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 8044 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: Infraccion-Multa.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        10:27:23API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        10:27:29API Interceptor20499x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        12:17:48API Interceptor78x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        12:17:59API Interceptor1687x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        12:18:02API Interceptor110x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        12:18:36API Interceptor45x Sleep call for process: AgentPackageOsUpdates.exe modified
                                                                                                                                                                                                                                        12:18:37API Interceptor230x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        18:18:29Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        6640c9.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        6640ca.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        6640cb.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        6640cc.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        6640cd.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        6640ce.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        6640cf.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\6640c3.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8841
                                                                                                                                                                                                                                        Entropy (8bit):5.656985126818268
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7jcxz1ccbTOOeMeQC6157r6IHf57r6kAVv70HVotBVeZEmzmYpLAV77WGpY9rr:7ID20RpRtiB2is
                                                                                                                                                                                                                                        MD5:53379133F8416A7B3F25B51AECC9F43E
                                                                                                                                                                                                                                        SHA1:CBFA5244FE5DAD17CAB3E821374BE606675C4B96
                                                                                                                                                                                                                                        SHA-256:9B92E496A7A0588AE3F24E9C11CA50CE8CD7A5D1D7C647A7F2BD770F0C184492
                                                                                                                                                                                                                                        SHA-512:86D6AB6D7B03FDF662F2680F311DF77B227BF946A3F29A247A5C679A6BCFEE153BE3C94B85039ADC226EE51ACE4E06485BA3710F960FCFBF8C4D7CDDA4624C8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6640c3.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@nS.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Infraccion-Multa.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F010

                                                                                                                                                                                                                                        C:\Config.Msi\6640c8.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9507
                                                                                                                                                                                                                                        Entropy (8bit):5.5648119207867675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:UjcGQcRObLCsgRAbLCMDp17qEVl0FKLALtyD0qagukGGhaKfmbHt1fGmk0rEcZ:UIcR4gRmdrKKvmhT
                                                                                                                                                                                                                                        MD5:DD9B68B845714C0EEEB1192C0071B5FB
                                                                                                                                                                                                                                        SHA1:0B357C4E2A0667FD7A2B213A3339B856E5DFE924
                                                                                                                                                                                                                                        SHA-256:A0F1F53D0F59994C9F678CA72ACD8E3B32331D279D0C1FD4EEE719415A0282F7
                                                                                                                                                                                                                                        SHA-512:D724A440264A843B6EC1A6A8C1216D90DF7C4493547680486B7C2C42DEE37A539CBECA36269724AF18E28BE2DD37B96E6C8B1FC6C9FED00B20B229ADF45B0389
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6640c8.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.S.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Infraccion-Multa.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\6640c4.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...HelpLink%.

                                                                                                                                                                                                                                        C:\Config.Msi\6640d0.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.654411867016694
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:My7wo+fncHMes1f6ITf6k7s5VNpkxYpLso:MPo+fncHIfVftSNpkcP
                                                                                                                                                                                                                                        MD5:DB5D7D2E166E122F81A44D4679E1FE0E
                                                                                                                                                                                                                                        SHA1:C28FEEF6FA73B5F325A6DBB801AF927AF5183848
                                                                                                                                                                                                                                        SHA-256:F32032300E3CD0DE8EFB6524854BEE62A6D5D0B8F6DC18A5F6BE7328E1F7AB25
                                                                                                                                                                                                                                        SHA-512:972AA69B8577A85F4340D19CB1404D7A03D7FCBBB98C0043873255CEBF0C3E5F191D06653D37353E4E835A5A9EC036381B468BF8955A75896B9A9E8972683F16
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6640d0.rbs, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6640d0.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.S.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384542
                                                                                                                                                                                                                                        Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                        MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                        SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                        SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                        SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):177704
                                                                                                                                                                                                                                        Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                        MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                        SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                        SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                        MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                        SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                        SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                        SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=38.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                        MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                        SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                        SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                        SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704552
                                                                                                                                                                                                                                        Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                        MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                        SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                        SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                        SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.656846968584015
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKkU4MsShLP6SX9NfzyShaKf0OzGShaKf0Od:+4qBX9Nf1Jd
                                                                                                                                                                                                                                        MD5:6A8E4A4B105434D4DC9E0A2A5FA6DF95
                                                                                                                                                                                                                                        SHA1:1773D89E12AB10E9B8F0EDBE0E9F1CD3E38B309A
                                                                                                                                                                                                                                        SHA-256:B144631C678F6335E253905F6A7F521CE2382C129F704636153270AC785A81E4
                                                                                                                                                                                                                                        SHA-512:4286462127246077A3A2D404BD2363C33E41A5E4B08B54780A5156B49C8009020B22791DB89202952C0805224E58F6BCA60060B195F4043DF89730AFD5CF9BEA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=38.0.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]..............|..r...H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.5853087307361733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:jRjKOc5dWNDUjX:R2ENIjX
                                                                                                                                                                                                                                        MD5:BE8CA3B4A7DC7D018775A63CA644F18F
                                                                                                                                                                                                                                        SHA1:A853765C1F273D77395E0C5E6EE254F3CD50CC77
                                                                                                                                                                                                                                        SHA-256:21F454422A7DFABA3EC4D188FB5008B6D911204DDADBA03607DA472BD80772E6
                                                                                                                                                                                                                                        SHA-512:14D2936667D0F179B1041FCE3C8B2D54B8472DC59348972CAB19B66AD84F9F4753A9FAA498DB70892CB1ADF5B02974562DAE9125CE19F7EDA3BF16E556CE514F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.E424F99DB5FD84191E8EFDF0F8B241F2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.771860873964197
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:vrXwHQXjWSwN2XR:rXjW7N2XR
                                                                                                                                                                                                                                        MD5:DE44825C4C6992CBE8353B5B76E81868
                                                                                                                                                                                                                                        SHA1:15C7C405ED5288884305B6B0B20402CE17CE9C1E
                                                                                                                                                                                                                                        SHA-256:1B7216361B18E67C534538D179E1AF28AC2398A03F3439D87311B9508A12686D
                                                                                                                                                                                                                                        SHA-512:6AD9BCCD45F35EFE395A9792124E00680B6AF79F8660E32DA3D26F43812A45416082F27BECE66C9C4F128604E86876E4EADD31DAFB94346684BFFD824C79327C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.94C1228E609E5E7FE676838590658224

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):490848
                                                                                                                                                                                                                                        Entropy (8bit):7.999544279071008
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:+VnOw8pDXpVEhA3xnVUWe8CRQ5Q6wMqoHeRpC8N7XBb1lTWM05pqcGwD/NI0Y0f6:+VnOw8pDA4/vQeibNTlTWMqjPdk
                                                                                                                                                                                                                                        MD5:860F60AE461BA51B388949C16EB37A6B
                                                                                                                                                                                                                                        SHA1:80A977E2AA3BC2DF410C3727B416C0438EDCED36
                                                                                                                                                                                                                                        SHA-256:83B13A3429207B689BA648EBAE7119FDCDF2CBA71E2F93D9DA4326FB968EE5EA
                                                                                                                                                                                                                                        SHA-512:E3FF010AEEEA4650785D070587E5F21B46E3D252454F49FF9A5845B7D95D1B59B2FD5A719ABA7250C50AF011D081B974F740A43AA25B05A1FCB131F970BF039B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585766
                                                                                                                                                                                                                                        Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                        MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                        SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                        SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                        SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398384
                                                                                                                                                                                                                                        Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                        MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                        SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                        SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                        MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                        SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                        SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                        SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                        MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                        SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                        SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                        SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                        MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                        SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                        SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                        SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                        MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                        SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                        SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                        SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                        MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                        SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                        SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                        SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                        MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                        SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                        SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                        SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                        SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                        SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                        SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                        SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                        SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                        SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                        MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                        SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                        SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                        SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                        SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                        SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                        SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                        MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                        SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                        SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                        SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                        MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                        SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                        SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                        SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                        MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                        SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                        SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                        SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                        MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                        SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                        SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                        SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                        MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                        SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                        SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                        SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                        MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                        SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                        SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                        SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                        MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                        SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                        SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                        SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                        MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                        SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                        SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                        SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                        MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                        SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                        SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                        SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                        MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                        SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                        SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                        SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                        MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                        SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                        SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                        SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.252279394444487
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ZgDOTg8OcZgFONjgYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4dSC:GN8GFH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:57BD99CD6848F07DAE533AA2045A3204
                                                                                                                                                                                                                                        SHA1:167F40A37ED250862D3BA45BA51DCEDB1963EE5A
                                                                                                                                                                                                                                        SHA-256:685ACCB6D9F383B0CA96016A4E4C4A591905BFBFF8F9864F2D09459338BE1189
                                                                                                                                                                                                                                        SHA-512:EF11C86561E8EEBBD2511966C920690D0E33F3FED943B78FB618584C2F421911127EB82639898C7457573287C136994F75C1C8EC86EB2C5B19ECF0029F65AFC6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-03 12:18:35.0527|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-03 12:18:36.1621|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-03 12:18:38.2090|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-03 12:18:41.2246|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 21, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 21
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.6101855879278203
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:T8Fu5C4OZUlFJNGdNGveXXQXN+5NG1Z7173idaidMD:Gu5C4OoNSN1eN+5NmCxu
                                                                                                                                                                                                                                        MD5:17B59DCF2A42331BFD0481E2A20E030B
                                                                                                                                                                                                                                        SHA1:DFB2F68983F5D141FE87628D2991A1587D6BC706
                                                                                                                                                                                                                                        SHA-256:3DFA3BC8D8D2E08D5D9D9411CD4E06EDB4E9E276C7BDFA4CFE40C9098140A589
                                                                                                                                                                                                                                        SHA-512:025B51EEF9114F142A30DA789FEF4B732982353CC720B53A9078E872908C884BE61442CABFAB3B42D0FDF613CBC9E4C7FB7C71416E5F23AF1FAD314B66C13094
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):1.8964560155936323
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MKqMFu5C4OZUlFJNGdNGveXXQXN+5NG1ZcW:7fvu5C4OoNSN1eN+5Nm3
                                                                                                                                                                                                                                        MD5:E90ACDA2A5D5709698D5BE88A2F8ADC2
                                                                                                                                                                                                                                        SHA1:FFFEF3525BA13F1A36A36B770D4225AB67039717
                                                                                                                                                                                                                                        SHA-256:8FFF680857C5358909F14B3FBD54A54C47AF274AA10AB4EC904438B662831B07
                                                                                                                                                                                                                                        SHA-512:7DE684CFC0FB9C8C9B1191FCE30EDFB97527F489087036833F476BF3A92BCCA27E3CF65F0B948A7A6B823B5D82876EF702AE63A1216579EACEC829588D29EAB6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c........,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                        MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                        SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                        SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                        SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                        MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                        SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                        SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                        SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2950275
                                                                                                                                                                                                                                        Entropy (8bit):7.998764494710403
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:WBPIjzSbVDryYh7ZxY0iUIO5q/R5Wc6XgsglYLYehXWHKuxU:UAjzS5xh7zY0iE5q+cNHYhXWHKuxU
                                                                                                                                                                                                                                        MD5:A7BF0DA8E308248AEFD69586E1F8A312
                                                                                                                                                                                                                                        SHA1:F1DF1B8F00087260C9C7C2BA46CB98903F98BF73
                                                                                                                                                                                                                                        SHA-256:B8C4A5EC9357ACE0E98BF2E7550D691AF280A387FC9636260EA6BC2C2B5B6BA6
                                                                                                                                                                                                                                        SHA-512:E9EDD7B668136E3A16B070C13BEDB5465AB1CEE02CC84F84F40A80ACA12CD3CE2A781724F53FECAE891A390FC257BEC727FB6E4756F644597785FF21107071FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....S>rY..J.........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......M?......B.....[.?..........._.....@...Q..w.z..h.q..hV...@$t.c.+5.....`iZ...#.....Z..^.6.............H."....4rwi'Z{R).s..l1W...+.wsV....y. <$M...f..H....1.`|....t0^....\....]0.......<5.\.R]..LZ.O.............r..d!....<.}.......Y...i.;.j.T.Y...#t..VC.f...[bv..w!?S.<.4./.a.aW...@:....D.Z..L.......N...bF........a..0..0.5..].*....b...H....T....o.fY2.#.<-........2`.;/.b?l../.D...[....J.|.)w.H./D{.S.k.....].G...a'Z^...6......._..j...gT0"...9.%.V..Ah..\.n.mF...........kf......EMU([i..Y8.X..2....c.y.va?3t;..#..0p..."H4E..*Z.. G...._...&.%7J..&z...k....\n.|..MK......e.....e.^l).8...k.%\eI..47..6.U....\.....D..O.A.CxMp....6t..&..4....e.i4......899o.._..D.............%5Q.K../.G.$...(..D...3..^..k.H.....~.>l..{y`N|.e..zaq,L..b....k]..;.........a.)hH....+W"X.V.b"U.../...F...y.C...6.=.\..v..a........6v..?:4.&.aO..,....UP|..].2cZ.R..?.x@..e+......9........I..0:

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.375928221248112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJId:/lexZT375i0qvT+b7z1pEpYi606a
                                                                                                                                                                                                                                        MD5:314316DA16DAD22C969C0B92ED488EE8
                                                                                                                                                                                                                                        SHA1:6E9E9828053473D69E9DA10201C3B0DA8A6BC441
                                                                                                                                                                                                                                        SHA-256:CDDDA51F86EDA551C067930D2EE680F602632276BBD201D0627C942227FC6869
                                                                                                                                                                                                                                        SHA-512:684AC5C39038B17E31E96EB449C73D917986A2B77749F8C505B3515370CE9577CE5CB76223425046B02DCF04E982472966B3AB1EAF8973B7EBE7DCFFF09229A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ....................................`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):200744
                                                                                                                                                                                                                                        Entropy (8bit):5.751631234797875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ejkyuqpqIZ928Gs6+a2RQ/JLNiqiTj9RT:erfpLRjRT
                                                                                                                                                                                                                                        MD5:680BAC4393DA4DAFE0100D9483D3B6E4
                                                                                                                                                                                                                                        SHA1:ED211EF61232C5AACEE7CA168659F02F9D4F4E53
                                                                                                                                                                                                                                        SHA-256:C085580AB859DE8FEDBA47CA694AB475FAD9B87D4093586DB3524E60D8383F73
                                                                                                                                                                                                                                        SHA-512:5756C46B3CF0C55957C4D885F7CBA9FA71E051E1050FDBC18B6871DB044109755E9E936CE984E9E3BD30CC6BAE2902B9B618F895CC95AD3D605D9586CA5AC01B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r............"...0.............:.... ........@.. .......................@............`.....................................O.......4...............((... ......<...8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H...........D%............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXVLc:WBVo
                                                                                                                                                                                                                                        MD5:EB0358328A55C4A8B2750A605E8ED570
                                                                                                                                                                                                                                        SHA1:702AEED7B181A434657573CDAB17C88E27E0596D
                                                                                                                                                                                                                                        SHA-256:7497E63F7322FFD71E59474D86E1A48C7CBE651B67FE2D6B45224017CAE9C1C4
                                                                                                                                                                                                                                        SHA-512:622DEAB03862A8F6B6469EF8F3DECC687F0C349A35F4E30D5DFD556C71E8C4AD95A2AB8ECED3EF838747623BD12B4A4A56C2E5951A8237E26ABFEC3AFD526693
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=20.9

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102440
                                                                                                                                                                                                                                        Entropy (8bit):6.190538859276163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:APAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476D09:A2bYbYSWd85I5sSakFQhHLv4H
                                                                                                                                                                                                                                        MD5:6B1C639EA20513705FD41684F2C18BF0
                                                                                                                                                                                                                                        SHA1:205C6B3B15A805DE9431D6DB485A99B95AB14C92
                                                                                                                                                                                                                                        SHA-256:0ED265D93FB2D88D66C28C1AAC05787E924F7F59456D58E70FE31CE9DD8D08DE
                                                                                                                                                                                                                                        SHA-512:460063C5928907D1C608B4DA51A2E7985B8A4FE4E718CA85EF40DC5E1F472E586DDD5C0561A72918238A25C056888689AB1530F60391C67A054EE220F6186DEA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................d....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95272
                                                                                                                                                                                                                                        Entropy (8bit):5.997038249853711
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:P4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766T7:P4auS7S5Ea6WMcpuUBx7
                                                                                                                                                                                                                                        MD5:F5D0D1BED04A53AD68F4CC6E9E0AAE50
                                                                                                                                                                                                                                        SHA1:293084ACDFB5265C2A626468FACE6C25123F7CBF
                                                                                                                                                                                                                                        SHA-256:B4BB434C473902048499CF0710136E1DDAFCD131E583676985D229FB91BE6D44
                                                                                                                                                                                                                                        SHA-512:E21C8A4D102E88B990541750FABEE484BC65D87261345CED8BEEE23E6B34C741D0D598AE131C9FFB3C4F12B3A38D349D8CA83ECE22865712B5C364B329CFD051
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ....................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.652243365389088
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:/Xh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlW+Td1:/Xh+tY2jNyb8E9VF6IYijSJIVxaF151
                                                                                                                                                                                                                                        MD5:D70C748ADEEAE50E8086402F3669D3AC
                                                                                                                                                                                                                                        SHA1:9784137A985652FDF4E52A7171C252C5181D0838
                                                                                                                                                                                                                                        SHA-256:0183935F8EF5C070EF76DBC8D2BD8372ED9968B2F9FEFBB19E366D4906AED0EB
                                                                                                                                                                                                                                        SHA-512:2C74A64C77A1EFE7F908AAD7A2A770D942240B8DE4FC6B7809FA2FFA52A362AE13DA617DD7E33B9E6328FBD60E1234E254337A73C55C4465D39E27AB46BE14A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ..............................d.....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75304
                                                                                                                                                                                                                                        Entropy (8bit):6.240591356875659
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:4u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYP:tF+qo7mDEwj4NXLGcfgruFcaD76jX0N
                                                                                                                                                                                                                                        MD5:C2F85BB7EE275CC9A72C32A975F20E7C
                                                                                                                                                                                                                                        SHA1:129765495FD204231E25D5B7A2CE49E60349BC15
                                                                                                                                                                                                                                        SHA-256:1E4BDA26B44C01EF745C5757440BD83B461C13673CDCEF417C7C89966CD61259
                                                                                                                                                                                                                                        SHA-512:8D2465D5C3D9BB6B97B19FFCD649B8D9E109243BFBCEF22E0F4BB3687BE37E1654674330B8B557D7586AEA9B251E5BB0FEF295EFAE13852E3F7E01DB8558BA08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......A....`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.406730079763626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:jQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi60rf:j9MYn1seLE8JFMLcyXQ76wf
                                                                                                                                                                                                                                        MD5:1BA548098DB8715E96EBB0B26C35D6C0
                                                                                                                                                                                                                                        SHA1:3832CCCC5D6825BE8D5CB4D9121A66ADAA68A859
                                                                                                                                                                                                                                        SHA-256:AE85B548DCFCDE72FD7A144D7D6CD0834411A11377BE6CA9860B476EC4743389
                                                                                                                                                                                                                                        SHA-512:D8B44C6C72D5FD862FFB9CCA50A4BC88905CDDD4DC805B614ED1CF2926F2B99EA99D0950D1D04DB424B9C17AD598B0AF98F4DAD612E304BBFD5F66906DB04D95
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ...............................Y....`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.20318988252164
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:kRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhq:49XeDmzV2yzlhKLFU1lLVp1+2flYFnQn
                                                                                                                                                                                                                                        MD5:FCC9B83413F70E04F9B9316A530B6DAC
                                                                                                                                                                                                                                        SHA1:94EEF7962B2D87633A98C1163E1446568122E5C1
                                                                                                                                                                                                                                        SHA-256:E4C215BE9FA61D24AB1D3410700E907DDBBE4D8F70930E975B0E128D22BAB46C
                                                                                                                                                                                                                                        SHA-512:063D92C90EFD3626160909BFD373A125EEC4985BC76AA587706700E1B428914C02C9DFE5FE0B2208BDC50454522EE34E98F97D3B52DAB1DBE374521FD1C72B50
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96296
                                                                                                                                                                                                                                        Entropy (8bit):5.633317749255577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:M2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJng:VQmyxL2L4D+YZL2X7SAaqywjhkWeng
                                                                                                                                                                                                                                        MD5:97006EA42D7F2CD86FE0594427CCD95D
                                                                                                                                                                                                                                        SHA1:46B9A6B2206323BB9A11BF57B77FA73F81DAFE36
                                                                                                                                                                                                                                        SHA-256:FE61C8E0D29F6AD8142B31CA6E95269865140C18A8C2A61B4FDFAA54E375CA50
                                                                                                                                                                                                                                        SHA-512:917B9D5F16400CAB2D5F1A2313027B2E72377FFB9A4A9E2A5D407A9CE04B9443C4290A480DAC2D2C4AF51A760207A05E9CBF8ADA234C690CF668AC1CB4975385
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ...................................@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386600
                                                                                                                                                                                                                                        Entropy (8bit):6.136021723672871
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:MsETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEy1:MsbZnMfwWFKFrrWa8BvEy1
                                                                                                                                                                                                                                        MD5:EAB80C971EFAA7568B13CAEAC857B6EC
                                                                                                                                                                                                                                        SHA1:0C0F11735AC648A6D4876E2E38984A0D73AD8F7B
                                                                                                                                                                                                                                        SHA-256:7DC79AFC90BA6785DA4920987927F9AC1F8F395DFB907FDE0664FE5B72F54BB7
                                                                                                                                                                                                                                        SHA-512:CC1637E3D17D20C4E04DFE3A0ABAEF59B2051F2016B9FCA2F8F34DCD5E40E436A089A4F007F010918D0E0C3B1B21711DC6A12730B7356E323F7617FFE97E29BF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ......Y.....`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.837014501178387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aN9VWhX3WseNyb8E9VF6IYijSJIVxF5WIuVI:KGZmEpYi60r
                                                                                                                                                                                                                                        MD5:BFE3FD7DBCACF581B11C1D248540F57C
                                                                                                                                                                                                                                        SHA1:E56FE2B0FD4E814C7021718320665991B7025D1E
                                                                                                                                                                                                                                        SHA-256:7E4163D3EB5A8DA07AF06690A164D61528F8EB18EA5982A025334D42A891575B
                                                                                                                                                                                                                                        SHA-512:73F11F881E416DF2ECF2998437297D07A33C60D204D55A1A7C60140482494F304343CCE37BF6F2DB53E57A72CC679AA2C182221A77556D44D2E3566C0B200F21
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168530803475181
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:JBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTI:JDMUWITZznu85k8Wdn8KmCjIFi3Vvs
                                                                                                                                                                                                                                        MD5:EA2DC3079A6B90586523F6B5ED90F5A3
                                                                                                                                                                                                                                        SHA1:C4AFB2CCB20D23CD827D9F0FC37BF2E4352A3FE4
                                                                                                                                                                                                                                        SHA-256:B7BB4FEB60B858F897A155D73E1390F19E9602A3113B9E829DB41E559C5F2553
                                                                                                                                                                                                                                        SHA-512:6E5750F98419C795B96FA364B099E15FBCCD5CC2510A1157BFD86C2EDA40D2B5758F7AF028CDCFF883FBD727FA1A7BDA0572B24718448C77B907B9ADA02586BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883752
                                                                                                                                                                                                                                        Entropy (8bit):6.071387146656695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:01n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQr:01n1p9LdRN39aQZUq6
                                                                                                                                                                                                                                        MD5:F23AC958C02D33E5DDB12C4368031151
                                                                                                                                                                                                                                        SHA1:CFDBBB7FF458F9699E5D6FB1C2F89B781A566333
                                                                                                                                                                                                                                        SHA-256:BFF0CA2BB4435712E9A66A8F18C8E29C9B89ED6C68202C4291936E630E5DC1EB
                                                                                                                                                                                                                                        SHA-512:1F39BC84FB829AE58C6579BD49339323F19B822D12074D3E4E8BDFE4E65A5C115C5403CD397EA87632291F9B7D376E6A45E92E12B5060AFC8D337075CD86BE3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................c]....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.9601398148034646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:qBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:qBA/ZTvQD0XY0AJBSjRlXP36RMGy
                                                                                                                                                                                                                                        MD5:08FE509EA44C01D6D5C83F3AC81F46EA
                                                                                                                                                                                                                                        SHA1:4A6DF4F98E8C45D0EEC41FF256CC3BAFEEAD6DFE
                                                                                                                                                                                                                                        SHA-256:5ABFEA7C801378D0042FA274B5FCCA8F562F88ECFB70F3F9D0E3683B326C23BE
                                                                                                                                                                                                                                        SHA-512:B3D1F40C450FF3DFDEA9E97061E9785BECFF22950A59B9261480DEAA4973BAD57E472852C3F03098FEEF75BE4A59E0B53F3883CDF9FE13BA5D0C662BF3A59C72
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......5.....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285736
                                                                                                                                                                                                                                        Entropy (8bit):6.184655131095567
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:pZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zva:pZU0BJwuOcrl1w7HX3HWL
                                                                                                                                                                                                                                        MD5:8D6065ED65731D045833C8A6153D0F18
                                                                                                                                                                                                                                        SHA1:E9151E9A8D8236CEAE979F7ED53D56DF8176BB34
                                                                                                                                                                                                                                        SHA-256:3DDF65C29DE811BAEC8C65CD2C4DD6B9BFCD24013E0DBB63FF47F622D77E2460
                                                                                                                                                                                                                                        SHA-512:B3FB0C4BE16B85D4AE77F922364EB8B1DF86DA56346DE4AC8F37BAEF71E27322971DD3BEEDD2EDF7157FAD0A1CAE36A61C61D413B08585DF56E6BFF7BD5FE98C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................Y....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.559405184471352
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AAQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxsSX1m9fMt:z1LOg3BtNbEpYi60p1m9fI
                                                                                                                                                                                                                                        MD5:DCC3BE6DC148A23C9579CF2F04A53D3A
                                                                                                                                                                                                                                        SHA1:8B62BEE07B70898F5A45A0E2B257E7235F74A03F
                                                                                                                                                                                                                                        SHA-256:8414B051ABC068406265BF693863D2B8FC1B94D4CBA30D5A3D6F4DDA744D0E65
                                                                                                                                                                                                                                        SHA-512:370F706095B849AE333C7C8F8EA5929B62E8601A5DB41BC390FCC7179FE70D08DCA15895B2F7184F8589A330B0484D0050F0DD57270EFA8E204E56B1A4AC1ED4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210984
                                                                                                                                                                                                                                        Entropy (8bit):5.348027766693773
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:UsMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7p:9MNkrE4AOqcIzQijLv
                                                                                                                                                                                                                                        MD5:00C1D783E0EF9BD70C015301323AAD54
                                                                                                                                                                                                                                        SHA1:F04C9A062585C0011AFD39248E9D109A45DBFD56
                                                                                                                                                                                                                                        SHA-256:6EFDC586FF71D8C683F941F9232E22E86AC18C03808B28B5BA65700F01CB0EB0
                                                                                                                                                                                                                                        SHA-512:A71F28DE4AD366CDA8F34AEBFBE8D719A620138FE8CC3404712C329FB8758C0AA51D81B8A318A92C143A89D4252FD6A5C4EFE4C2130F6DB5E63EF80E83461071
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`.......5....`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284200
                                                                                                                                                                                                                                        Entropy (8bit):6.117133765251699
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHP:cgo0WPVTXgv
                                                                                                                                                                                                                                        MD5:983C9AD3726D1FC26B0D538AD8DCDE86
                                                                                                                                                                                                                                        SHA1:6880E0761F9552E45A1CAE821FFAD0BE4C8DA0F7
                                                                                                                                                                                                                                        SHA-256:F4294EDCA44BDE15AAE74EC7B42A5E8C883B04CEE61B31ABC33982ABC23EB0BF
                                                                                                                                                                                                                                        SHA-512:10D1AA46A326AAC115705C3BAB04650AAB0420CF4BB03AB21672C284138E1463F383BC78C4EC05451BA1266BF8452F1A4852E8D99724D2372FEEF6B9524E77E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................x....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.808721120015982
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0y8+xcexWQFW56PQNyby2sE9jBF6IYiYF85S35IVnxGUHF1/JufdGq:FDNxWQFWsoNyb8E9VF6IYijSJIVx5+Mq
                                                                                                                                                                                                                                        MD5:AE0AB880D8686E1442ABF5CC1F36CC9E
                                                                                                                                                                                                                                        SHA1:6F2AAD5C546434B913E804A657602CEE1CA60967
                                                                                                                                                                                                                                        SHA-256:42FAEA9A80701970855E44B06F03585AFFF16821369C5F14D75C09194EEB24E4
                                                                                                                                                                                                                                        SHA-512:1029567305D1496D1886B2A6484CDE6CAF894FBF362AFA8E4122713A0B0B8BB07E6522D0106028200962414BDDAA8F3917B957981DBD5A6A63124A416B1C32C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...................................@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.66989638440343
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:PrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAcX:PrMcXP64LEpYi60r
                                                                                                                                                                                                                                        MD5:A30C2E87D40CDD2BFE9F6B8465E0634D
                                                                                                                                                                                                                                        SHA1:C2EB140F5899A728478C4B04C184983328671930
                                                                                                                                                                                                                                        SHA-256:EE0E6A500232E5698667F69A35D01CE67FC380B3DD513F022D15023240E33009
                                                                                                                                                                                                                                        SHA-512:7F080B1F43E917003DB4B746C8222C9E4B162D3CCF4713BDE6920D0E8F0CFF12AD13B39D550EADDC21697953BAB7E7F119CA1EDBB0D2E8066AF61E5A03B03835
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................6.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905647342366222
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/m2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT893LOn:HtaJEpYi60w9bOn
                                                                                                                                                                                                                                        MD5:5D9D88925C1845DAF33395E95EE69018
                                                                                                                                                                                                                                        SHA1:8EC1E83D0090A5BB84FC8FDAB3A385D7731E694D
                                                                                                                                                                                                                                        SHA-256:CEE556F40D35B7C25F3232B85BC4B4741530D800EFC2A4E145F223DD7E0C4984
                                                                                                                                                                                                                                        SHA-512:97F3806950C0F52159B85CBE6F1350132FF4CFA66F56C5CA247A979FBFD29428BCF798C67F0E333A0BE037141BA17E0633C072E0B74211C6ADAFABFA48A27D72
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................F....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8981710262342935
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:onapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKIFJI1:DDur5NEpYi6003PI1
                                                                                                                                                                                                                                        MD5:241D95F95B6BC6D54859A2595318208B
                                                                                                                                                                                                                                        SHA1:2BE0B4E74C50CF3DBD7CE319FEAA149C95944105
                                                                                                                                                                                                                                        SHA-256:01551D1FF7D4ADE6B3CC5A08374ADCD89ABF57D923AD1031817FA55C3F8DE036
                                                                                                                                                                                                                                        SHA-512:A104BB81F87CF75419373D560E8C4DE9E044E56F0F0FF1C31599609DB21E2B8C2C6619031DA91439F9F242749E281AF94F302EB0B00C3BA02EFDD17ECDCE50D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................^m....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.903601508363786
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:pHLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3P+O+:MPv5t/NOOMEpYi608d+
                                                                                                                                                                                                                                        MD5:FC035CA8C05B7928297298556DBB5E90
                                                                                                                                                                                                                                        SHA1:123072EA9F48C9B9A68488A728F7CB9E03BA63F2
                                                                                                                                                                                                                                        SHA-256:9AA9E369D919DA831FA0644C787A74B26C8095D2480661F6D7ACCF6C074E3DE7
                                                                                                                                                                                                                                        SHA-512:E62DD13EA721F51A69F2D9984A09AA2F8045B5273B661BABD25C4EA7D56B9EE492EEF1A5B1F9B235FBF87BA1668F0B42A93361BE71AF760318464A0CE78D89C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.759445435626797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQayPL1:XiAuEEpYi609mLPR
                                                                                                                                                                                                                                        MD5:8BC4B367A838CA0541F861461FDDD58C
                                                                                                                                                                                                                                        SHA1:68D55D1E81FDF5685574F2E730C326F85D65849A
                                                                                                                                                                                                                                        SHA-256:AE3B5313F698C46D9F5261F55E9852A6C5541422F6BBA6F8FDF45DACE831B06D
                                                                                                                                                                                                                                        SHA-512:96BFA254161EAFF82883EB5AFC3F9C89C5A9B23B6E3ED43EF8F070FF36EEAA4F50B1082FCF649719B5C3F8E813287179E686AD09CBA78F4FDAB3E07AC6D0869C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...................................@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.810832023088915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:vnzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1Jcy:Xpui4EpYi607/
                                                                                                                                                                                                                                        MD5:8183A6B9FEC61A9FE3D60BA0B6116707
                                                                                                                                                                                                                                        SHA1:BC7ECD7433A6B84B3AC569D0D0BE4B22BCC361CF
                                                                                                                                                                                                                                        SHA-256:45B40B440D3FB31CAE63A79FD57B10BB4AB8639FB123D5CFE485FE8129D9FE3B
                                                                                                                                                                                                                                        SHA-512:0CB9FF5FBF4E893FC3B250E16229CBCC96A816322A5DAF421799AE05FDD5532DDDBD23EADBBFBAE65D4E6D8E2DBF3191572C9D328AE364BB528CEC6F2CA4F16A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................,....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.8589068611287205
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUCFjh:BkmcvEpYi60vh
                                                                                                                                                                                                                                        MD5:940316302BBEC3E79DEB2B28FDCAF8A1
                                                                                                                                                                                                                                        SHA1:2BB2787C631FD8B7856F2B74CF578827922EDCE7
                                                                                                                                                                                                                                        SHA-256:D24AC47E9AD50196110BD0ABB1C529FF18FA5664A99594B69BC96995977DBD3A
                                                                                                                                                                                                                                        SHA-512:76E31F1E568A7AD69F9805EEE696485C9A5F212858C7AD782E2AB825370A8DA3835CD2F9AEF3E3F2B9C485AF4BBCE7064F898DF7D27B08A1C67192471669A347
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................3:....@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.789119095131649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4X1s8:QS9b2yEpYi60Y28
                                                                                                                                                                                                                                        MD5:0CC054A481CE8AEE039AE6B97364A112
                                                                                                                                                                                                                                        SHA1:9D0E5BFA13D1B1448F166DB554A7D3D4F6A1DC8B
                                                                                                                                                                                                                                        SHA-256:B36CCDF4140652D9450362EFF338E413A9FD9772DB764797433A578FC3DD7E77
                                                                                                                                                                                                                                        SHA-512:D146437CFE46CB43F9631CB1A746FBB7BDB8A316066C8B8507B027240D8AC6A759798BF69A947607DF01853CC1B381DB6B919DAD0E3C1C79A042BFB4FFE0B30F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849809199392687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcFRc2y:m998yEpYi60Mc3
                                                                                                                                                                                                                                        MD5:AB8B056D3962952F755B35EAD6A51FCB
                                                                                                                                                                                                                                        SHA1:6CAC0BB2EEF8E9D4A801DF46117EECE5C5999F4B
                                                                                                                                                                                                                                        SHA-256:97D475D6C3E3BC587D50219C689F0ECF105F2841FF112056A6F1CD263C1594A7
                                                                                                                                                                                                                                        SHA-512:B8853D11C02392D5BEEAA438F8B72F62FC1B4AA430B3A8917344B3B9CB6DCA68A1798D1E4F998289209354EA649FFDC37C80AEE8A2485153D58AB79649A20470
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................."....@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.847116474755869
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:BRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+ttx:b7icodEpYi60u8H
                                                                                                                                                                                                                                        MD5:278D356CFA89B610F1918CB0CA796D6B
                                                                                                                                                                                                                                        SHA1:175B8CF5777AF5E3A2E66180250ABFDD1D83A5E1
                                                                                                                                                                                                                                        SHA-256:AE78DA9DB7D385E2E13030DE927D6469F8038C1EA3E874E7C5A2AF6001CB03DB
                                                                                                                                                                                                                                        SHA-512:A273E47200ED6DC3203CB227D5178CA3C530BC613A9C22A240649F3D1FBA01029BA132574DC2BC421817C9023EACE97683EA1ECE9B27D12BE17B37534E9569DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148520
                                                                                                                                                                                                                                        Entropy (8bit):5.417488785442083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CS6:r+2jv1x0ebezWiuC
                                                                                                                                                                                                                                        MD5:AF1E821B8A3634D9269C33BBAC43259A
                                                                                                                                                                                                                                        SHA1:FB5BAC6680C07FD60C50DA14D65777781C8ACDF3
                                                                                                                                                                                                                                        SHA-256:C01DE1B0E94D567C95B501CB14E6272686D8861A6FBE9E0F7764CB63F8464389
                                                                                                                                                                                                                                        SHA-512:F3BF246E895EA190665ECC5B30CA27F9DBDDBEFE53AF0EA827A9BAFDB174B720F2A05F0B69A93FFCDAA17ABBBB1B101315282204D5BBA290DF437FE5E83FE84E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................AR....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.811005954002995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ezNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi9lJNgm:sRtRWjYWw9Nyb8E9VF6IYijSJIVxI7im
                                                                                                                                                                                                                                        MD5:086514F955B4FB63823AC543BCA52015
                                                                                                                                                                                                                                        SHA1:90707A4807ECF6D88087CD48A99C9BED11B90A55
                                                                                                                                                                                                                                        SHA-256:A96C840F303681C16E57B125B5D7F2D5067E975B3946236DD3DB73FEEB02B12A
                                                                                                                                                                                                                                        SHA-512:8604B5175A8F8D2F6C6C0105BEC6E866EC8A8E7422C4AFC7EBC49FEBBEDDB08DCE4D3C933E6F194B17B553B4C5471011DD9268A5A7DE9378FB48DCA293B0BF50
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................E.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892970175187929
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zeWnoW7zNyb8E9VF6IYijSJIVxG1+M991Yu:znJvEpYi601ML1
                                                                                                                                                                                                                                        MD5:269E24A05A71FCAECB712DC3EA3DC41C
                                                                                                                                                                                                                                        SHA1:10A5849D210C9E58DA2CC73488E8C44CA444CC02
                                                                                                                                                                                                                                        SHA-256:8A9B5ADFA4098CED04783A97D2A539880195652287532C48623452D090839838
                                                                                                                                                                                                                                        SHA-512:CC6F1EBC55F3B2AFB044529C42BDA0D0902219F1F924D04A3A21006DD2FDBE60E5C992399CB6910E8E766661D1A4B6B39D99CE75CAFD29DF0A8B54B8AD8F9700
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................x+....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99368
                                                                                                                                                                                                                                        Entropy (8bit):6.236381782824803
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:q7DoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD763TC:eitRK/XIgIZAXjD96WfLtGdM5baDB
                                                                                                                                                                                                                                        MD5:107B89432AC39BF7485D00E9F9BA0AF1
                                                                                                                                                                                                                                        SHA1:CB508EAB5A9CD8280B360472AAE2DE376885DBC3
                                                                                                                                                                                                                                        SHA-256:B9F9FEC462F082C53A4F732FC84C17864168EBC05C17CF244BEA9D20CAA8E8AE
                                                                                                                                                                                                                                        SHA-512:98EE7B0F2C67261BE583AE1F200FA244FD5B19D861362D2AF680FDB2C5E9826B8D3AEA02ECBCF5EBA2CC0E4F35F2B3FC6295F7607B77487AFACCFFEE857E3F77
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ....................................`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851724575518685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:j6oWJjWN3Nyb8E9VF6IYijSJIVxukeX1Ji:j6vk7EpYi60cK
                                                                                                                                                                                                                                        MD5:404442503A513D2D2FB35F3AB54E3026
                                                                                                                                                                                                                                        SHA1:CB04FC87189B09FEDCC16281D38B236FA9EB7E04
                                                                                                                                                                                                                                        SHA-256:D2D50F61A9091A9EC33718AF6B5FA538E018D470AC183D4C7F2AF0E27B323A74
                                                                                                                                                                                                                                        SHA-512:1C30E54A61590E8752971A06262E5A65184D7BD1C5A08AE46BCC092CFC091432CA465C794923B9239F6B9CF0BE911F94F431982591F9B5064334A8996C9037C2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................f....@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.7789598678942475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:oqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjvMH:oqk53MmSEpYi60gH
                                                                                                                                                                                                                                        MD5:4B444A308BACF73BF6591B7A73701A1D
                                                                                                                                                                                                                                        SHA1:95E7599D1C4799AA2E8A4ECA57118782D7246AC2
                                                                                                                                                                                                                                        SHA-256:F3B814D31BFDB844451DD1560037C251ADC8B20F4A459D1954BD758F2AEFDF75
                                                                                                                                                                                                                                        SHA-512:1FC3E93A41B91063607830780E1A4B8CE23CE11E846AB07C9A77379AC28E6B270A0AA64CC0A38E14E09CA981B7CB6BA3B8442A1AF46362A75785C665E4B92D6E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................*....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.661633140809755
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwO4dG0s:JCcyCrSEpYi60EGn
                                                                                                                                                                                                                                        MD5:775CF50F340A18D706C0F8EC276565C5
                                                                                                                                                                                                                                        SHA1:FBE34B1E7DE5AEB323D39B4B7BBEFAE9835B84DD
                                                                                                                                                                                                                                        SHA-256:4997BD1574B142AE4A7B331A8581A5687896C4881839A6BA302EC16D7CF57E2C
                                                                                                                                                                                                                                        SHA-512:8265CFD78899A78BA87784A91CECBC98DA4047F0AACA93A595FB8F96BFB82462D81702A6034AFDA6E22D4A63994C2EF2411CF09BB60A37A6DBF9B65DD86DAF69
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874606093863098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KAWxMWxiNyb8E9VF6IYijSJIVxMPtrUbdEn:KvjiEpYi604r+dEn
                                                                                                                                                                                                                                        MD5:27F895E99B7B8BF1D515B51CB01A6DEA
                                                                                                                                                                                                                                        SHA1:EE2A09CBBBAF45341CCCFD7A4567DFF681F7E557
                                                                                                                                                                                                                                        SHA-256:126CB2A008BC8447E148EDE65603E174ECFA4F155967BBE786FC83F945FE1D7F
                                                                                                                                                                                                                                        SHA-512:133291065A9F5FF75E70745F6D46D0D3F9958C004BF74DFEEA06E2A21D75DC916256B1BB533931DEF440DDF14C9895CDF8D5E2ECDEE60C6CDF99934A00D47C57
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................]....@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.855522266793951
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:bAlcWHaWOQNyb8E9VF6IYijSJIVxyogbtp:w96oEpYi603WL
                                                                                                                                                                                                                                        MD5:75BF356017ABD008F1F653C209440D9F
                                                                                                                                                                                                                                        SHA1:56984AEF47D0F79781AA7342E3D204B16F8A14A1
                                                                                                                                                                                                                                        SHA-256:794B21CC2286ADA61FCFFA2D8CFE9A95A9AE3D7ED133A0A5A9EF75FAD643F812
                                                                                                                                                                                                                                        SHA-512:03752D9A651D075FFBA2EFC3ECB15FE9690753526D239BA5D0FAB4700886A7C4B4D5CD0B670285BB5D0F4122ED88E0A567BE9AB9283FEE6C3FF8C7468C0EADBE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................x....@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777726961090541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:geIZnWlNWTaNyb8E9VF6IYijSJIVxpcstBw1LO:FUyo6EpYi60P1
                                                                                                                                                                                                                                        MD5:D0CCC316E7B3B2F404E0AC944F8EFA70
                                                                                                                                                                                                                                        SHA1:F2275CA2E86325C55B0D53C6AC139B03ABE15397
                                                                                                                                                                                                                                        SHA-256:D4081A21923AF546A938ED5986E2A24CB99C15CE64C7D999667C1E13FF2C3183
                                                                                                                                                                                                                                        SHA-512:204E2278F3294A93053F69DBCBA0370C14EA827B4570D5A6EE336FEF639B67006070AB4C0E1453B6FD04457331146EB2D4A5BCEAC76D9D065A308F6AE4C695C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.4926803931781585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF6s:3Qq33333333kX+TBi8OGEpYi60/t
                                                                                                                                                                                                                                        MD5:115A2E78440A666D4365FD351BBB58DF
                                                                                                                                                                                                                                        SHA1:46E1637A313A27E6E54A7E7DB3BA5CA48CA3770D
                                                                                                                                                                                                                                        SHA-256:B3EA4D2B2D94A4C4D121A4A0AAC5E805F66B89332B32B6D5F32F034997830FAB
                                                                                                                                                                                                                                        SHA-512:6476BB872E4D5974018E373C56183645A40C9C5B88AF442D94979D4F94A8301B94A63CB2A1035B284E0D7187382FD46D2724DCF2C6C6ACEB440385A1566095FB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................e.....@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.850237800552579
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:128YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9dO:10qX2EpYi60d
                                                                                                                                                                                                                                        MD5:471F0686920F1BB20B72B4EAA06C7576
                                                                                                                                                                                                                                        SHA1:67011DE93A9901B40274A1AE53D112B6669593F1
                                                                                                                                                                                                                                        SHA-256:E04D7BB1CD511A64B6B7BFA3F7ED4837D2781AAEEF2183AEB499EAE60B9375C9
                                                                                                                                                                                                                                        SHA-512:792BD9E9E98DF149338C19BF55C3E923D690B5A7060684DCFCA11125202FF0EC4B4167516B4D947B2B05450B2FDD10423F32608C8ABB07A341674600D1CF4E13
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................'b....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.725733431403758
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:quMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3Oqsn:nOcSpS2EpYi60Dsn
                                                                                                                                                                                                                                        MD5:6AB99910726DD200260F2AF40918F244
                                                                                                                                                                                                                                        SHA1:C850092F5E90F733EEFA208F43B0F226ACDB6F6A
                                                                                                                                                                                                                                        SHA-256:949BF14A9DABB14B8DD0C2B1B342A5A16DFEE1ABB7F71ADF05A1FC5D46E6A72B
                                                                                                                                                                                                                                        SHA-512:6AF1FAF550DE4FFE79E580E0B0D620B04DFA203515C8ABBD97CC296C763730126895FC20936DF6A45F6C0964FB70CAFCEA1A1C332C92233154839B06E3557A1D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................z.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.815364267481566
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaDw:o9qKqjqjuq5kEpYi60H
                                                                                                                                                                                                                                        MD5:5FFEE9AC0B6212E3921FA324EC0EF4A3
                                                                                                                                                                                                                                        SHA1:9C198C594A00B4B024649E489A6A6854091D3698
                                                                                                                                                                                                                                        SHA-256:1A57D45120ACC7CF06821185B28804F4036199372D901FF825C57623A0E7C112
                                                                                                                                                                                                                                        SHA-512:D2AE6B8A40C901738B2689803AC2E3C1238C2788BD838DDE8CDA6AC61FEF266E40C9FAEC52A9046245BF58B61FE53D74E9E33E9A4A2A6C728E2626823A389CDB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................}<....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20008
                                                                                                                                                                                                                                        Entropy (8bit):6.6266046778554815
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3HCg:yvMhF2SzNzwu/NljuQmEpYi60Sg
                                                                                                                                                                                                                                        MD5:20DA56CB31299DB280DFD73C12C51968
                                                                                                                                                                                                                                        SHA1:9638EBCDDAF9960F7E4919F3F303AD0A954026A2
                                                                                                                                                                                                                                        SHA-256:8F636D4D9994587EA7FA1C625D1FF647C1F8A90BC216A8D6EB2548F25D88C020
                                                                                                                                                                                                                                        SHA-512:B44A49F4231E1F43933E51E6F42EE33580D99757A4394841E772A40D568375FB8D6D0CB274D9085120A4C3EBB65713161176002853A447E7F938DF9FFD1CF6FB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.89750697943308
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyaE:IZK0pJuImEpYi60of
                                                                                                                                                                                                                                        MD5:D2A4E0B1253F5069E54696317077FAF2
                                                                                                                                                                                                                                        SHA1:E5564C937DE1E7AEF5CF38FA4F44E353240AD749
                                                                                                                                                                                                                                        SHA-256:AC0B1544E6F7CF1817C38C02139BEE1EC4D31CE19A4A8E1C43831FB748F90A0C
                                                                                                                                                                                                                                        SHA-512:2B3DB6ADC0DEBBE68445CF878E8EB1FBF8CBBACC738288F27A66ED55FA706D6E48A0EF2FA954E008FA9D9EE9DCA20A5EC8664752935EBF1E7447BF258E19B500
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................b....@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.793296438744402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:QFx+WTIEfW5uP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFz9ZIQbLn7:gYWsmWIyNyb8E9VF6IYijSJIVx39mcL7
                                                                                                                                                                                                                                        MD5:EF070CEA6382F5846C14E6CEAFBDB199
                                                                                                                                                                                                                                        SHA1:DB86DF55C83B3170CFC9D95E2F72B7A9E0F29689
                                                                                                                                                                                                                                        SHA-256:98602A6023DC35FE06C764D293908300D47D70797B74ADD4E73F62EDEEBB8119
                                                                                                                                                                                                                                        SHA-512:B8E3D4CCB124727FCF12176FE979986585F3C40AADE861A1AFBA8047C9AD351160D18BEF2BA9FC67B9746F70928F687CC83CE97238CD1145D9677AEF1EE90032
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................?....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105000
                                                                                                                                                                                                                                        Entropy (8bit):6.382231592615125
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:zvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76s:zgk1tiLMYiDFvxqrWDWNoJXBA7
                                                                                                                                                                                                                                        MD5:4A6114C4122B45AACD6E7D6782A31BB5
                                                                                                                                                                                                                                        SHA1:092CA9B5C2E44FC80A791FF1542978FEAFCF8D3C
                                                                                                                                                                                                                                        SHA-256:9877F146E695E38C1A4A1E7356165F13AFD1D7D3A69DA2229B9B562D3F45397B
                                                                                                                                                                                                                                        SHA-512:DE2FF43EBFEA3AE1B9ADF5220F49DE717E134A48909F691902E5374973E20F5D0D9937C4A9AD18BCD004B7656FDF6B29E4C1E46351CADA83D986C4D2D4619A81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................Z.....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853824936474969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QKcuz1W1cWliNyb8E9VF6IYijSJIVxLnoZD:gu8niEpYi60bA
                                                                                                                                                                                                                                        MD5:8F31FA40BCC66B9C90BDFFF328B46338
                                                                                                                                                                                                                                        SHA1:C2D93FB6040F1641288A50AFED8FF3A2236EC82C
                                                                                                                                                                                                                                        SHA-256:E02C2F515F5B656D5DC8A2D88121052C96235C984FCEECA857476C0AA7EC5E7C
                                                                                                                                                                                                                                        SHA-512:70751880AE52CF636B6AF16DEE9844512B66575A956985C09FED3A45D4229F6FC1EA675A2956DBFA154A83EBF375584707E42BAB3972A8D4FC9B11B8C3518824
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.86015002499566
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:f+SWikW0uNyb8E9VF6IYijSJIVxAd5vI7k:f+eGWEpYi60Cw7k
                                                                                                                                                                                                                                        MD5:E485F2D743BA9C6D2B131D48F8D1A92D
                                                                                                                                                                                                                                        SHA1:A2F128B58E707DF79C81891DFF942CC9B356C9E3
                                                                                                                                                                                                                                        SHA-256:1A81EFE611F904CA2FADA34FFAB94BD080886257EECB700751A5ACCBBB4756F2
                                                                                                                                                                                                                                        SHA-512:25EFCD1DE069B38308015E81471B8FCFF2FEA174E3BBF8D5BD3787BE6217C506AF5F5428F888413F812D3672AB31C9A9B4832831333FF8A68D090587694E72BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905257707184542
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:gDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am9Ceqha+:0AWzgWSsNyb8E9VF6IYijSJIVxXTPL
                                                                                                                                                                                                                                        MD5:1C3908144599BEE9E7ED65A51CA7A768
                                                                                                                                                                                                                                        SHA1:40A6B8794581AE322C8C0BAAA195DE770B22AD3F
                                                                                                                                                                                                                                        SHA-256:B179BAB0882D8B81E1115C45BB1833949008BEA9A54EB443B72CB81E20452E1F
                                                                                                                                                                                                                                        SHA-512:B3308483AAEDC35DEAC8C9D1CDC91DE95B82F88FAF7B778538D05A37870FD418D4BE9A7BA402A36A628AC7C0CD9ABB00C1A1C77719E9E91832BAEC469713104D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................|....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8644250173946935
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:FBLRWbYWziZNyb8E9VF6IYijSJIVx7cktCa:FB2xi9EpYi60Yq
                                                                                                                                                                                                                                        MD5:7E1B6ECEEC59D647C0CC78AE00B4FDB3
                                                                                                                                                                                                                                        SHA1:F1A53459AA9F11F6083E7FF63571AA7846A1A7AE
                                                                                                                                                                                                                                        SHA-256:E78C875E3F372522417E63E10A02E6895F51227037C10447A2650B520F2E389A
                                                                                                                                                                                                                                        SHA-512:86DAEB0BF3F603A20C981BD45D848E797297CF8D450F4337B4F7A8656FD654AF778A7378E266E805B85C557F4FCCCB13A640CFB7B2C6F67641795D05A49ED3E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...............................9....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853310722582555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:xZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5ycQ6:pHW4/W1HNyb8E9VF6IYijSJIVx+hQ6
                                                                                                                                                                                                                                        MD5:1657409E788CF5890E19B53FBD44423D
                                                                                                                                                                                                                                        SHA1:5BC0B52E6DA0963E08A897A907A814AC494D49D0
                                                                                                                                                                                                                                        SHA-256:25A65D9155A66B61F73D7F1DA02C7C1B9ABABF93311D238B29241FDBB394058C
                                                                                                                                                                                                                                        SHA-512:9F0ACB5D83FF1C4C0536CF7E601A308CEBD86CB177402E96744A597662A19E5A74EAAE55335E55E6E4723D4B673F2C2C866002050D04148F14DFED6A625C0CBE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910305102519224
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Qvk7hWmCWKpNyb8E9VF6IYijSJIVxufid:Qs7/GtEpYi60/
                                                                                                                                                                                                                                        MD5:C7C6B0339BFE3946B6BD49BE33E51DF4
                                                                                                                                                                                                                                        SHA1:8DE0782915A10865D10F3DF841261DB1556C1F29
                                                                                                                                                                                                                                        SHA-256:1B84816C842B53374B07B50EB09842F207EE89B21499201307E7EDB250466333
                                                                                                                                                                                                                                        SHA-512:805B6409A13008284B3233DDD0784F8CCB8AEA7E96CFFA8856E9FB694C34CC0F6A7E4BA7B45C1784A9986D0BEE70A4A09181811621EC5B0F9167D4212914529B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874079079790563
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0UiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDeclzmK:iGMWCUWiBNyb8E9VF6IYijSJIVxRNcn
                                                                                                                                                                                                                                        MD5:EB275A6FA4900CBBF2FB9129D5054455
                                                                                                                                                                                                                                        SHA1:233ED20E17EE685D82F8B831BD0A5F80D3934D14
                                                                                                                                                                                                                                        SHA-256:228F2A497191A7827A6BAD3FE2E96D7205956F0E11C1C901CFC38EFADF026348
                                                                                                                                                                                                                                        SHA-512:D516A1CC03B35A55B69C89D599127E9BDEA5C6BFE1A529C0D5F6996D7270E1485A8A65DDAC9AF13E0169AE841DE28D5BCCE2BE521B7575E3962813BD30C95F46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.855006170759416
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtg17CnR:WDwIBSoEpYi60O
                                                                                                                                                                                                                                        MD5:0E2BC95C6404129D0AD52D334FC2F4CE
                                                                                                                                                                                                                                        SHA1:9551E6E9E1E3A146FDD86EEBF6A639894CC2D203
                                                                                                                                                                                                                                        SHA-256:7DF98BDC12483A66A81C3EA7D30360BD19FC7489F87910444A84672338B5A0F6
                                                                                                                                                                                                                                        SHA-512:F73CEBD27302CC8FF9E07DC710A3A3B1EE70EDA7655A9EC4571B6138FFDDBC9A5C6F54DFB1521078175560BD74CD5F233BF0E3EAB01D38EE2033F7D4726BA927
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.868810802567518
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VyvPRW4lWvKNyb8E9VF6IYijSJIVxnKF69:839oKEpYi607
                                                                                                                                                                                                                                        MD5:669D226524BE0CF2D2FA4B8A37CED29D
                                                                                                                                                                                                                                        SHA1:0C042CFAF3B9D7FAA979939937DF91277A4AF44C
                                                                                                                                                                                                                                        SHA-256:254E907D962DE0BB5B4208716D2AF661AF6F88150621E066242C251E2CD40A2C
                                                                                                                                                                                                                                        SHA-512:2507F974E0D07088E0CC4A9EA43292AE9C561CEE6A0EEAFD2F96B913788D4ECF30FF33A4BD2342B125D9B1F382AAF3612F29E1D015CE1AA5C1ACA2B207651CFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................{....@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.820689586305787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:0nhp+J2sx/5W6eW5lPENyby2sE9jBF6IYiYF85S35IVnxGUHF9IAcLnLB:S6RW6eWX8Nyb8E9VF6IYijSJIVxiAcnN
                                                                                                                                                                                                                                        MD5:F9A4E5D4F2025EBD9A75C161D4596153
                                                                                                                                                                                                                                        SHA1:56EFB312768D3CE8D11C903AE8C4819EF00D2CD1
                                                                                                                                                                                                                                        SHA-256:0441AF9944CB904623A42A215795505FB4F9B1ECC3EFEA5F525E2D4F17A73F0D
                                                                                                                                                                                                                                        SHA-512:1823D39527349EC34F4AC9105FDCFBEADF54729CB6D8CB23CA02A5BC399873087FACFB14308509F57AA7C738488E84750A3BD6E9A0974950D567EF39A2F65C89
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854119221878164
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:NSUP9W70WxhNyb8E9VF6IYijSJIVxu1LFogICg:sUe/lEpYi600J/I
                                                                                                                                                                                                                                        MD5:36232AE8F9C6310572F818FDF2269139
                                                                                                                                                                                                                                        SHA1:D0D53A5AA92F766DC1225923414105FE959B8C77
                                                                                                                                                                                                                                        SHA-256:07AD90A5D5980E276502ACB56DCAF75CC88EE5C47D5EE39837DCFA3D24F51EC8
                                                                                                                                                                                                                                        SHA-512:FD1B86097F35B9C1E2DEAD768F33894643893D18FE0971E5DCCF4373694C5A4C9EDF3823D92A13AEB93135B82860E331F7330CA528C6704856A8F1A94F1C31D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.85207099912043
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:x8yg07W0/WtTNyb8E9VF6IYijSJIVx/ouRy3:xBHEPEpYi60A9
                                                                                                                                                                                                                                        MD5:DCDD3435E4AB095F3C1B27BB400065F2
                                                                                                                                                                                                                                        SHA1:50A5E54F3EDDEC3DA6EA4D556188EC4103FE2AF0
                                                                                                                                                                                                                                        SHA-256:E48D3BB2D354500CFE30CA2116E325EC1524FB15AC908C9D73BF93C3ED92BD3C
                                                                                                                                                                                                                                        SHA-512:88532835E4443A98A80516F75673492415B15D69A268AA2EFE6060122299CF5B1CEF8F95E1DE39FA5D43FB6A0B82ACB6ED1FDEEAF05FC90D201AA032F6C00230
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................'.....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.816270862620687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:YueAxQJ4WmRW5WPtNyby2sE9jBF6IYiYF85S35IVnxGUHFONZgwDMN:me1WmRWgFNyb8E9VF6IYijSJIVxargw4
                                                                                                                                                                                                                                        MD5:432C5AB8FE403BBD6CCB0F87E6278A0F
                                                                                                                                                                                                                                        SHA1:CDA169FC8616A7EF9205655C7247B4D29DEBFC1B
                                                                                                                                                                                                                                        SHA-256:CB4C2662031FE23B4DC76CF0B53E846D561700F599B4DD1CEAF35E1C36218F91
                                                                                                                                                                                                                                        SHA-512:D831FBB3732AB98FBEA600C0875100715BFF61A8D53498AA9CDFDFD670C9E96B71CFFFD80212DFE5E6D47D1014EB1C96BDEB5EFD01A01B0076CFB2E715C1905A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................).....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.161069434334119
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:EUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq9:HBFd3/aFs2w
                                                                                                                                                                                                                                        MD5:32968BA035ED01A02C04CC270ED78907
                                                                                                                                                                                                                                        SHA1:48E642894A12A4B309070B8F92796AF902255B77
                                                                                                                                                                                                                                        SHA-256:38BA0E2742FC478A389AEC7F8763250EB376EF7E0434269DD63497D49D66AC24
                                                                                                                                                                                                                                        SHA-512:5CA0855E1FE4D4BD718173B722B8EDE65EC485866ECD54FA1A41A8C23263312162E5A3E73E6247E2AE53DD9655F3CE6E179016C97F42C1150A774C37775F66EB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192552
                                                                                                                                                                                                                                        Entropy (8bit):6.114505353873675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:SeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbD:DW60VcTvakcXcApOT
                                                                                                                                                                                                                                        MD5:D39D918DC37A543914C0B60CFFA237DF
                                                                                                                                                                                                                                        SHA1:E5F486BFFBEEF227BB6107A818D4BD429D5016CC
                                                                                                                                                                                                                                        SHA-256:F1E85794BA3939128BA4E885661E8618E0D38E2477D1B4EB9821332572F29C4F
                                                                                                                                                                                                                                        SHA-512:1F4BD5B78B62ABB4943249A56BAB55CF9C019C55658136EAC2697F9EF582D0EDF6AF0FDFB033560BC55CA5BD131B13097EB2FD4F3F36F991B3BD0AD795290242
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......A....@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.835085844373381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M6ZWYLWBwNyb8E9VF6IYijSJIVxNNL062:M6l4IEpYi600
                                                                                                                                                                                                                                        MD5:81AA1DDF61B6FED3207D5333732255CA
                                                                                                                                                                                                                                        SHA1:38291BDE04EA3CE9BE9423A10C7293813FB66D02
                                                                                                                                                                                                                                        SHA-256:B183FAF5099740E26F08DFED0A60DF119B0DB919941D3695142478A801B031FB
                                                                                                                                                                                                                                        SHA-512:3A327CED161B2BC84EC775B1492DE61A93640E1DFAE3A241D65163D10F81ABFB120A58592E4C390CBC27B7EE144545EDB58F1DF16A31FC6001734670288B13C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.790506357802776
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:r1W1WMQWkMNyb8E9VF6IYijSJIVxuHIaUN:01yMEpYi60uoN
                                                                                                                                                                                                                                        MD5:92FCB153379966587B9E445B7F822E3F
                                                                                                                                                                                                                                        SHA1:79135C7D707DA0A2F0D53D9C5AE66475E38C6D2A
                                                                                                                                                                                                                                        SHA-256:331DE136F23E448141DDD386346A8CA06D33FFDFADEC3F5CD1E17FFC945E1AF1
                                                                                                                                                                                                                                        SHA-512:2B3F64BDF1607FF3CCCEB596159F84E45152978F92852B896778AFD1E94962D27F2B1015E2510286F8FEAB98EE8140D6295EB104E1BF2A52F3163596A9E1722D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................oM....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.830516305756255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IdSWSKW1BNyb8E9VF6IYijSJIVxsDYcvB:2OpFEpYi600vB
                                                                                                                                                                                                                                        MD5:8D49371396C6C03C4D6C9F94D9DC8938
                                                                                                                                                                                                                                        SHA1:72D1A7E51F93D4D18BFF160C03E26628CF238957
                                                                                                                                                                                                                                        SHA-256:048DB12A55C0430EE606873B9644BE8C3F94851396F40D7E876791FD4BE21772
                                                                                                                                                                                                                                        SHA-512:C67351C351AA408CB826222C32875BDBAC23BCBD8A31EDA87AE89D853B3418778F710D91894DC9987690B075375EBE8EE21DBA75071634A9D35581A7071CE3F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................)....@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.743838473623697
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZx2z:JyYA8CqEpYi60+ZS
                                                                                                                                                                                                                                        MD5:04D83D9AEE652BC4D65732A50A283723
                                                                                                                                                                                                                                        SHA1:604E3D59E47BB285064C39EA74DA7C7EED6DBD5F
                                                                                                                                                                                                                                        SHA-256:1399A5F15F7CCE0BB512F22C3E3E7C8EDB4C429B560EE534DD6527DAE3936183
                                                                                                                                                                                                                                        SHA-512:98AAF070BC87AC0EFAF665FC6ADB61A2400496DEBA34F24719C7179B4FFA9DCA322781A79702F3D189363C446AB78C51ABCD06E7B816BC5717E75D92CF71881A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................r....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8742654985436715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1Gl0qgopJ5xBcWe4W5JPwNyby2sE9jBF6IYiYF85S35IVnxGUHFVOEet:1yJGWe4WTYNyb8E9VF6IYijSJIVx5OBt
                                                                                                                                                                                                                                        MD5:A4B62A621C62AF0EB0EAF9543C1F5293
                                                                                                                                                                                                                                        SHA1:C81BEA54E7336CF7786358934C3C905C9F68893F
                                                                                                                                                                                                                                        SHA-256:5345415E6C206449D2FBDC41FF8E7C5E24933AAE43A356EB37412D26660DE313
                                                                                                                                                                                                                                        SHA-512:DAE43E655FD3636626D761E5C591CAB41D2C8C12C61F729CBC14D1ED322285C2F7939E1BE929AFD2BD1E7EF875CC2FD0279DF55AB4E6953B473993CFD543B2AC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.783872021616734
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ndW1w3WesWn3Nyb8E9VF6IYijSJIVxV4XVq:Q1wxd7EpYi60+U
                                                                                                                                                                                                                                        MD5:5F89A87CCEC1785D5350D5F97D8C9DDF
                                                                                                                                                                                                                                        SHA1:B862712051883FCB6503AFC6371A63FAA562EEBE
                                                                                                                                                                                                                                        SHA-256:A0861591C6BFF488938EE8ED5704E65859E021A517BE04EF2475DB15B64FF055
                                                                                                                                                                                                                                        SHA-512:9A0C18A2FA68D42FCEFAC9FE26DD9862E9960C43044D888DB075807C8D933F78FC933BACA3BD41ACF116C280B5898AC56B424F5EB091407270A888D82F7AB5A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ...............................$....@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24616
                                                                                                                                                                                                                                        Entropy (8bit):6.595735639949552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VF6:Iyp12Bhkg3qnV/srYEpYi60R4H
                                                                                                                                                                                                                                        MD5:9F134D767ED38CF27DC0D8B4189C80D3
                                                                                                                                                                                                                                        SHA1:25D436AF9417BA9DA208250C8C4EBCB7F1DF488A
                                                                                                                                                                                                                                        SHA-256:38A28626CF00CF9FD9A691E3F8D855E62CD9697C5B5CD2A228090192ACF00B96
                                                                                                                                                                                                                                        SHA-512:180372DD38C400C62336A4E0D454ACD6C605DE415CDC27E89313B7CAAA97386915633DE11DC29729F3663427D91F712A8F26A85D7B1CF5F91ED8A7618345470A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ..............................O.....@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852617103599006
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xHPAW1bWieNyb8E9VF6IYijSJIVxJ54tLW:drTmEpYi60SLW
                                                                                                                                                                                                                                        MD5:0142600DD77E8A5CD6D57582354FD2B6
                                                                                                                                                                                                                                        SHA1:EC5864586E603964814379F5F5B5E00CE8E45DDA
                                                                                                                                                                                                                                        SHA-256:AB22C67D1227895D87159030A1BC18123363645013CFAB3C657515EACCF414F9
                                                                                                                                                                                                                                        SHA-512:1888669CA35864F5D34F63448E5970F8484C3F41A1790CE50C56287B5F4DD14F85EA8726FD98CC6FA89E0700366680F6AD8C6F0507A4DC77C2057AFE4EE26308
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................{....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852942632163301
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ONoqWD7WJlNyb8E9VF6IYijSJIVxeL278:ONofwhEpYi60c
                                                                                                                                                                                                                                        MD5:8F55175950B1FD6D39164B0DEEC5C5AB
                                                                                                                                                                                                                                        SHA1:69AA107AC85893DBEDF808015854A0A5328195C4
                                                                                                                                                                                                                                        SHA-256:7332FC835410B9043D05FC0FCD66EBBE332B8422751FA2765DA5490359A2621D
                                                                                                                                                                                                                                        SHA-512:C1E92512FC455FEDE19ED67BA5481046312E74C39778B55C4AB39985805DB193AC07B059FDA80E3F85DD03FE84C25DD8475F6150242E4BB84223D67A8A97411B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................AM....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.865517054281121
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hGETSAWUEWSWNyb8E9VF6IYijSJIVx6t3n:VT18+EpYi602
                                                                                                                                                                                                                                        MD5:A798F54D46B2E127F1F0CA90E3B886C9
                                                                                                                                                                                                                                        SHA1:58ED138A4A0E0FCC0506177527CE972BDE111EEC
                                                                                                                                                                                                                                        SHA-256:813B252BB228E7CBA339A0A6303AE353262896B8006998DCC61E28A44FECBFFC
                                                                                                                                                                                                                                        SHA-512:DB0DD09009F0B24E0E4E2FB30ACE2CEE3AB0845AB49FD2C2BC1FA40248598671FA875FCD02803649EFD5975E19E264E3844318D26697EC07A47A47F7959E1DE5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................W7....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.511315194559188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:vPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76V:vWw0SUUKBM8aOUiiGw7qa9tK/Yb6
                                                                                                                                                                                                                                        MD5:43FDAC25BF2B6E9636C0FC732675C6A3
                                                                                                                                                                                                                                        SHA1:CDB8CC63F0466BE20CB1E362457F836199598866
                                                                                                                                                                                                                                        SHA-256:A1CEF7189DBC7FB9C889AE462AF4CCABF9252DA718AE8497B6EE1D9D1DB529C0
                                                                                                                                                                                                                                        SHA-512:6536032C9ACB01C54B0C78CD292EC48E7694A1AE96DB0E4AD38261A824AAFB7A925896E687F57C69B695494262617265B78C79BBA757161F60AD976495B012A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................yc....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.8485880879152505
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ncDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4Lssrd:nPKBKnEpYi60Nc
                                                                                                                                                                                                                                        MD5:1D8F816D317797E0FA313C3C6B73DE4A
                                                                                                                                                                                                                                        SHA1:27FBFB40D16A911888859E48E2C36FB9061184C6
                                                                                                                                                                                                                                        SHA-256:F37CF3AA82C19EE9FAF68FD8EE250FCF9CA7DDE9F3716D568477C2237A3255FE
                                                                                                                                                                                                                                        SHA-512:C9DCBFD9C45A55DF84CD96C82E2196A51C59A4D7F7BCABF1408DA9F6FC138D084B2105E8A34F233379C6DE5D7FEEE8D8A4BA69842F9D22B356FFF57B226E0FCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.861476584356263
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:G6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMUZuK:HIWD4WmiNyb8E9VF6IYijSJIVxM02ZuK
                                                                                                                                                                                                                                        MD5:80D10405E86A011428809D189AF42254
                                                                                                                                                                                                                                        SHA1:F9CE2968326684CF3031806A251BF8DC06BAAC33
                                                                                                                                                                                                                                        SHA-256:0420249331DFAB914B80AF43E396F92F6D0BDB0B5844BF7F542F86A67F3781A2
                                                                                                                                                                                                                                        SHA-512:4D6507917AF602D9523A0356E060E3EB2C1B1A2A278E369F4884194BD237FDDCA1DF0A5153269DCE78376DD809CA7F57B010CA753DAFB7023B357D3D5AF4E4A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................)....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.782417953504123
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7W2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlG8u2wchen:sMWzQWc9Nyb8E9VF6IYijSJIVxN/Jlq
                                                                                                                                                                                                                                        MD5:ECF764E3A0AA1F7C8CA303CB7DD97B9C
                                                                                                                                                                                                                                        SHA1:368B515F808C94A75794F55143242D71FF993810
                                                                                                                                                                                                                                        SHA-256:2CA740086867B8FA9D5688A86FE09DD3A194F3A94311C0ED07542D5F5970245E
                                                                                                                                                                                                                                        SHA-512:D736138B228961EEDFE18E2244AB4A81EA654D9D2D59B8BEB83B7B7C52474B0B2519227B1689355C946959A788169282C674B59F19EC88591957ED331F6BB5B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................9.....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.723389175620964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:nxDHKWAMWcpNyb8E9VF6IYijSJIVxlPKik9:xD8GtEpYi60VY
                                                                                                                                                                                                                                        MD5:A94864E904101958581F376E9EDB2C0A
                                                                                                                                                                                                                                        SHA1:993F6DBB4BD44A67C8F5356F9C3BCD9158D6BE4A
                                                                                                                                                                                                                                        SHA-256:865EDDB9133689FFDC20909F6B31B9E17EB88EADA17DC0186F5C8B472D83367C
                                                                                                                                                                                                                                        SHA-512:0ABCA15C3ADB018222D7512C2FF7575A75971EE8733569FD88E0713542A33207402F4210504D04337DAFA2CA545C8994FD360A3FEE63CB5E02BCDC31499AA381
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.831343160224206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qecIE:sbMSXEpYi60pJE
                                                                                                                                                                                                                                        MD5:920872C0CAFD7FE6420CA10D97DE9CD3
                                                                                                                                                                                                                                        SHA1:AD1604671681439B2E14D1E0AA2BBB330EF9A2BD
                                                                                                                                                                                                                                        SHA-256:C86E8D0B53F8C026CD7D2F4D69C4994D47D51642CA8FA1A83B646CE9A8424E36
                                                                                                                                                                                                                                        SHA-512:00CC29FA4BE88D4CE35443FA34FC359854FB2B8587C6323BF16558FC739F74B80D70BD0602AD9B184CE03268769B89C572E649ED7369D4E3D1D401A673B3AFD5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................#....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.88461735081066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTPOWCh:XumtEpYi60Wlqh
                                                                                                                                                                                                                                        MD5:5D50FAD06724E49E4E907BC19144FF03
                                                                                                                                                                                                                                        SHA1:C524AA38A25E0705DF630D06D2FBA6E9F58FF5F1
                                                                                                                                                                                                                                        SHA-256:DE7C68CE4A9222A8C67970A327201271942D8DE208AA79F4CD841BF6BCD06392
                                                                                                                                                                                                                                        SHA-512:5EE8E43B279109AA8263A61853C1EA729E7D0AAD772AB5013D5147BAA2BDC5746DADD798EEEBDB0141D6DE17E59D528CCDFE8B4B9FBF86EBBDD7DEF034E828D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................n.....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8297477234302955
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:iLnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1bg5b:iDf4ocEpYi60gbA
                                                                                                                                                                                                                                        MD5:EF19619E4FB598E731C86EC9A8CBFEFE
                                                                                                                                                                                                                                        SHA1:5C1B41E70C446E435F4217D5B7138DCB90FE290E
                                                                                                                                                                                                                                        SHA-256:8223A4F01C4E60A4F2FEF221A643D5D661607D7F914B50CE04C1A8C1B8EEBE29
                                                                                                                                                                                                                                        SHA-512:38F551B00816A09977BAFB293E4A599A7B39722B18594782AD876AB41B7D4A7AFEC9E343CAE90D9A61C962A3D58D1B392640B0FFF9727A588157AD3B4695A4CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................7....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.6730008612186245
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Xh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBT75t:Xy9gpEpYi60A35t
                                                                                                                                                                                                                                        MD5:F148EA54B35EB3C5AED3B52813BF4F60
                                                                                                                                                                                                                                        SHA1:F88ED3CA81608E7BE484162AB62B99C040146008
                                                                                                                                                                                                                                        SHA-256:2E685717F598D740A6F08A102A2BB8FDCFD13EEECA6676973A0ED82D93113C98
                                                                                                                                                                                                                                        SHA-512:AF08168D3EA79AA38245D6680052E3FD3F3A8E70A5A4F8E5328511EC6C842B61864BDFBB99939E28A6E089BD6B890C7FAD3FCF0D16E1F050931241079108C46A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................o....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.813555981869786
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Tna8WK1WLfNyb8E9VF6IYijSJIVxY4l2/I:Tna0ojEpYi60cI
                                                                                                                                                                                                                                        MD5:DAC6F3648BB15C41F00CE3145F2F0728
                                                                                                                                                                                                                                        SHA1:D272B6B33FC3F79B81584D3B02097EB01877ADDA
                                                                                                                                                                                                                                        SHA-256:8BE568340D09987CDA994C323632412ABC7CDBD2A68DA4A5F0DEB9A33ADFF1FD
                                                                                                                                                                                                                                        SHA-512:6E627BD14C4FD6D1A22A212E0F7F729803D062C70538335D2817DB45FDB3C76884ABD5049EC2AB17136A8188FADD59BA6293A9165313BD801411B330F1441251
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ...............................e....@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.765050520018306
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yBSWITWWSNyb8E9VF6IYijSJIVx3mR6fb0Y:y6LyEpYi60WRS0Y
                                                                                                                                                                                                                                        MD5:B7DF86D70B123FE508FB29CFDC2B542E
                                                                                                                                                                                                                                        SHA1:BCF288920D77999DBAF9E11FE664A0584B70D53A
                                                                                                                                                                                                                                        SHA-256:F9D30C710A2D2E44F354CE01B5357E63DBD960F3B70752CD860D06317D18B5E5
                                                                                                                                                                                                                                        SHA-512:946D3CBA5D337862A92A75360DB9F44D284D21BDCA52F860FB29853D4B089E0EACEE1BAD09A168A4F0323FC2736DA25CBD78CDBF989891549347ABA884531BB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ....................................@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874215297105027
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:x88cIIWNoWJiNyb8E9VF6IYijSJIVxJ7FAE:x9cU7iEpYi608E
                                                                                                                                                                                                                                        MD5:2437B5CDEA52C4369A993501F7E685AE
                                                                                                                                                                                                                                        SHA1:7B4EB7B8C2445B4E450402BCFB0EF0B25409FE4F
                                                                                                                                                                                                                                        SHA-256:F894E3041501E7472F115C0FEC9C841B549BC5B4E3442BBE25DFE96E3DBF9CCD
                                                                                                                                                                                                                                        SHA-512:AEE985DA1CE68F83F91E420880D07FB688F6D13B88391F890C08E530C613F9BAF4A6113C363FEF3DAE248DB7B865E50412798778C348B7EF47B8412D58415870
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................O.....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22568
                                                                                                                                                                                                                                        Entropy (8bit):6.618262139707592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:VkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXBCX:UrmoFmWXX/NEpYi60b4X
                                                                                                                                                                                                                                        MD5:31B86A415565083298B402B885443608
                                                                                                                                                                                                                                        SHA1:6D5C76155DD140DF1D09431BBD96F69549DD0A27
                                                                                                                                                                                                                                        SHA-256:3BA52E9D7CF95281A17445FAA2F544AC15E25CD2FB098DDC719921DC9C2AF361
                                                                                                                                                                                                                                        SHA-512:91C3721B1A28983E1D0BFA0844302058DE8A8C6D8FA050B78C9060FA10166FFCC108C38686ED8988787757A221DAE2074A0D36BE07311F16129D09A09388AFD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................4_....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.672837265435871
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:H709bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVq:yOAghbsDCyVnVc3p/i2fBVlAO/BRU+pF
                                                                                                                                                                                                                                        MD5:33F52A30F43DC982B23B39694D36FB29
                                                                                                                                                                                                                                        SHA1:0CBEF4E77358E5F4362E9E0432EA59E32955AB7F
                                                                                                                                                                                                                                        SHA-256:96D2746D43FBB845394F00701A6CA347E6D9F9974240AE68C4074E03C0FD047E
                                                                                                                                                                                                                                        SHA-512:AA8B3D7C8E278B0670151AD8CE8E631B797B2FD64DD7EA5BCE47B1D573A5ECA6B4BA9BC53A9B65D98CA12FCE5B9540E02FBEE15D87440CC368BFBD0D4BF490D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.830617927942683
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cDYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRFTLCj8T:Z7W6RWmaNyb8E9VF6IYijSJIVxZ7W+jI
                                                                                                                                                                                                                                        MD5:DB31B1D952592C46FA2785114056BD2A
                                                                                                                                                                                                                                        SHA1:31C845C0AB6A847F26A51AAC65ADE3CB55FCB9A3
                                                                                                                                                                                                                                        SHA-256:2F912AFCF7DFAC8FCC03E10003E7BC3FC7A0742907E9468E215744085190C8B9
                                                                                                                                                                                                                                        SHA-512:9F1DC5E9928CEC97150530F123A86F0FBEDC5C61CD4C104683951B2317B84620329E86F7345BE90F8A79D2FE570ECB6EC482552D4FB712667A22CFCDCFB02D12
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................Z.....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.921450435610541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8I5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKnj:8I5HFwTBI8EpYi60lj
                                                                                                                                                                                                                                        MD5:27E9C1074C10C7F8FB70C34119E2C928
                                                                                                                                                                                                                                        SHA1:DF5024158F5DD38B379B482D447315E3144C5D9A
                                                                                                                                                                                                                                        SHA-256:5CFF8873F9773541225423D870303EFE51F666A6B88F089285497D8E42C2E370
                                                                                                                                                                                                                                        SHA-512:18BC2667B76560433F3A40EE10B58AC43C34A17551955D91E04FF8F6D11E29DE6280AD31202E167696CE86A25320BABBF29E110CA4FA12C8383DFA9E1BEE3B05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................W.....@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892435025275904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4AJpVWbfkBnWRXNyb8E9VF6IYijSJIVxn7/:4AJpWfkBAbEpYi60z
                                                                                                                                                                                                                                        MD5:B44E9ADD66AD151B9EDDD1B696E8076F
                                                                                                                                                                                                                                        SHA1:6D8FF9C41E0F0AC9A824D0BFB34576908EA07F04
                                                                                                                                                                                                                                        SHA-256:E27D7AAED612185C74C946796513E6CB89630BA0A5F1E8FC014556D03E3848BA
                                                                                                                                                                                                                                        SHA-512:676BEA2E9F0066E44275082F9288432A2D99B65D688C4BD78AD957B2C33E3036FC06A3E1532F651A5463EF7BDC006DE60A60E5F159BA4094E105F48623D534D8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ....................................@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21032
                                                                                                                                                                                                                                        Entropy (8bit):6.538255406907136
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Y8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRNQ2u2:p1dyAqgQBfqyTBZZEpYi60Xp
                                                                                                                                                                                                                                        MD5:1C0ABB5BF7F6516EEE06BD7FBE9A53A3
                                                                                                                                                                                                                                        SHA1:341F768A8B060E0AB6F816D524B5B80ACAC38A71
                                                                                                                                                                                                                                        SHA-256:C03665498DACE66092EFCE4CC27187D797A02A78272B3437095AA1C1B3BDB008
                                                                                                                                                                                                                                        SHA-512:35CE2A790981238CBC547B7AD66A98C6A63B864702321B8B6F0440F7F557948AF18F5B73474502D6666A6D82AC6F0219FA05AB21795706D4866EE84A4306E2EE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................X....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18984
                                                                                                                                                                                                                                        Entropy (8bit):6.6814838065266775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3psBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8osyy:5sPMQMI8COYyi4oBNw4tBrcEpYi600
                                                                                                                                                                                                                                        MD5:9C68BE8D6CFAC5D90F3A7B084998466A
                                                                                                                                                                                                                                        SHA1:C5CAD5FD40F493E16A8ED76A8632DF70EA0C5A32
                                                                                                                                                                                                                                        SHA-256:A566F5B435566296F3F1D4B074ABF931CB82E1EB6128A796D68849CB8C36A2A4
                                                                                                                                                                                                                                        SHA-512:C06329A515EB31F9AA8943B88D5102CA8CCA030D4179D05142830E41DDBFBCF17321F2AA9E540795AC0E806DCE28B9FE652028046D055944E63379FDC3D894AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ...................................@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23592
                                                                                                                                                                                                                                        Entropy (8bit):6.316880491429066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTvwSvb:gbhzkKs9TEpYi60Nb
                                                                                                                                                                                                                                        MD5:046943199EFC6A2D003C1828B7DFE924
                                                                                                                                                                                                                                        SHA1:77015E76D75EB927D38191FB82606FAC4BA4A3B6
                                                                                                                                                                                                                                        SHA-256:8911A38B3A60B853B2F1E5DA64FD75638AC7F48B60E9106197EC3521035D2640
                                                                                                                                                                                                                                        SHA-512:378CD108316E8B24D63FD2862368D19388BD2986228F7F54C7B5399A78D6F277266EC81CA1DFCE85D51F1FC127DB428EBCF047CB8243B977F05F09618E83B0CE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................e.....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.86338586154331
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:0UcX6W9aWTmNyb8E9VF6IYijSJIVx7y5YEOJqWA:0UchXuEpYi60n8r
                                                                                                                                                                                                                                        MD5:C3B74AFF6E17901DC672FE0E556ECD36
                                                                                                                                                                                                                                        SHA1:03B9325A4B7426AF0F36AB739B7C9175B0FB54EB
                                                                                                                                                                                                                                        SHA-256:EBC16A86277704923A9F7513DA6F52BAA486BBC1E73E3D9EDFB8F7E1E0EB8383
                                                                                                                                                                                                                                        SHA-512:8E062E38B387C99BDA6B5D07632E1EDFF8420BFD77349056828A854DB68B2F106F1E66B8D757D3BB2E7A366BB6725C193F34A0E2CBD9715769EE356AB0FB1AFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41000
                                                                                                                                                                                                                                        Entropy (8bit):5.950223047312922
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:AoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60i:HPmb9WKs0PeeUJ76r
                                                                                                                                                                                                                                        MD5:8C58284832970C271013812BC29C016A
                                                                                                                                                                                                                                        SHA1:ECB0FBA05D9515B775485BB25BBDBAF714604364
                                                                                                                                                                                                                                        SHA-256:71F02A03C69B4FA29F9607A17563C57E53C4A1CCF38888B877269595F0BC6EBA
                                                                                                                                                                                                                                        SHA-512:0A8B943EDD04057A5F195AFE833E83A5FD39CA75EC9AEC305579F0C3BAFCE996E061A8A7198BC93F58A92D3222AFAA80C2F26E904489C6181D914A1FFD7B39B4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8923472122966425
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ETI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypKOUl:EE3bnEpYi60ppjg
                                                                                                                                                                                                                                        MD5:E4AD83EF11A153A64A5B18F8D47101CD
                                                                                                                                                                                                                                        SHA1:E4F7C728FCE65B6D0AC91F4F5676FAB3821E7933
                                                                                                                                                                                                                                        SHA-256:9A5FA9AAAB2ED2EBF1B1ACF6CED4C1BA6F6998C7A2F2CBC072992F0E2D74DB80
                                                                                                                                                                                                                                        SHA-512:594F40CD8F270935D2E8DC40257AD75EA1EFDAB8DF20897D6AF0FAD67714D5ED5946EACE7B1CD671CF97337FC6CB35B6823923FC178045E48CDE215491F5676D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ..............................mx....@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910340302103303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:7cezoy4W04WGINyb8E9VF6IYijSJIVxmrYJrK:7Bzoy+kgEpYi6012
                                                                                                                                                                                                                                        MD5:7742925EC73CC2DAA6831839740D373A
                                                                                                                                                                                                                                        SHA1:18F848AF91642602AC2649C2BF405F570295E124
                                                                                                                                                                                                                                        SHA-256:A704D5CAD486337A2B20A729C819ECE33CAFC29596F1F1840213C25AB55DD0C7
                                                                                                                                                                                                                                        SHA-512:ED69992D1E48DA2C34B81727B87B6D7B0F8791D20101CE3139676637548CBDC898CE616A35D7658743A61EE32C07F79DA689A94ADA093C8F595316E5C426E4A1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.792338787488365
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:chgHWexY+WKpW5FPYNyby2sE9jBF6IYiYF85S35IVnxGUHFjekh18k6:nH/JWKpWDQNyb8E9VF6IYijSJIVxXZ/6
                                                                                                                                                                                                                                        MD5:C83C35760A7F2ADDD8507444F2424C0C
                                                                                                                                                                                                                                        SHA1:4188CBCD07B22B64E6435BDFA983B38CEE3E63A2
                                                                                                                                                                                                                                        SHA-256:4D1F37BC0D3F5AA86AF0FA9BC75F8F382381379B235C199D4682A5ADCF352792
                                                                                                                                                                                                                                        SHA-512:A52BD237DDDD02B2D4A6A6B4264D193E264BC6521435E0818D7FE45EDFA816E7953D763B1A3482BAC0973819C701D5F6DEFBC300D81BD64F9EC60D6F83B3286E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ..............................}b....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.743617261073706
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DTjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLZFh:rboYyFiEpYi60tnh
                                                                                                                                                                                                                                        MD5:678673E395D89C92E82970C7192C8C87
                                                                                                                                                                                                                                        SHA1:51223805B5271DBD4356EF46896E90D59AA59351
                                                                                                                                                                                                                                        SHA-256:5F36EDA03337B6204C96449310F8CF46B916E873F2BC5F9D97BE880F32C459AE
                                                                                                                                                                                                                                        SHA-512:EAEF60EB2B161268B3D8C7B04D9046171C6325AF24B9456D740D3AF9CE6F78A9E3031E088063774110F22A8D402D535532DB4EA33511283A87E7B70A1D2EE409
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................w.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8416183763451155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:DSKiWIhWG3Nyb8E9VF6IYijSJIVxLp8nf8:DSK8l7EpYi609g8
                                                                                                                                                                                                                                        MD5:7BE2A4FB790BDE82E982D2980AB39701
                                                                                                                                                                                                                                        SHA1:E2B5672D1B3719EDFDC045EE18BE69AAC0209CEA
                                                                                                                                                                                                                                        SHA-256:86DBCC7A8C6240B9FBF6F945AE678AA3D12A210D9A1FE1B885227AECEBA0EE2C
                                                                                                                                                                                                                                        SHA-512:41DA2CE6D83D2ABF1E8F5B8F1926E0A821FD183AD3C6BE0D142D3B1D6BDFF73A1A54ABE3E7162E54A74E50D9D5E04DFDDAE4C9E19CDD17FC77BD6A25701B657C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................T....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.789899920256675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:v0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8odWca:8KRyhfEpYi6035
                                                                                                                                                                                                                                        MD5:75DF5E5ABA2527C87E1E8804110F23F0
                                                                                                                                                                                                                                        SHA1:BB141D72B6D8DB051D48A1AEB14953877E37F3AA
                                                                                                                                                                                                                                        SHA-256:2931CE934CB5A5E25CDFC6540BD0A066AF7EB0EF21E7D44B4F1FC9EF8CCCBA59
                                                                                                                                                                                                                                        SHA-512:A3F0E9E63D651D690BC999EC3CEBF113667D0BD2961AC6E4B32D3B49E3C177686707B9603766AF4235360632795D946DD3ABC531006ABC9A6D5FD31248ABB01F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...............................k....@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.873101445570973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ub1nWCXWr7Nyb8E9VF6IYijSJIVxnY3zI/:Q7yXEpYi60N/
                                                                                                                                                                                                                                        MD5:943D759387E7AD8F65933CDCF0345EDF
                                                                                                                                                                                                                                        SHA1:8E967B1FF2F03BB9159F8E3AD44F4029A897E5F0
                                                                                                                                                                                                                                        SHA-256:8633ACC5DE4401518ECDA5362A368929298D745CF06BBEB556D70281D8F244E0
                                                                                                                                                                                                                                        SHA-512:0533D6F62C2613FB7AC8D999DCA07CE9033EE25E88B4D101453AE7BE226C19380C7301AC0F018615F826E7D4C930F810B9B02E64EDB4D7A74E690BCA67B39345
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777243878360475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YLyW7TWyDNyb8E9VF6IYijSJIVxRr9CGj0:ofPfEpYi60h0
                                                                                                                                                                                                                                        MD5:F9B3DF90B2974A7C794E454C5A3227C0
                                                                                                                                                                                                                                        SHA1:668006520B7CE9A9BF19F4A2CBB2D452E04D758D
                                                                                                                                                                                                                                        SHA-256:6CA3B614382E1428EE16A1B7936D963A73F5699181B862968E6672EE32AB30FD
                                                                                                                                                                                                                                        SHA-512:378278166B692166E2BF3FA23D424DB497D8F8EE36D37E91A0E24F79EA6CB6B9235044DF630F4A6B73288077510156E5824D231FF058E9333CC1CECBCB34FB3B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................~;....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905124971012652
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:46Rb32WVzWwtNyb8E9VF6IYijSJIVx0XQk:3Rb3dtJEpYi60nk
                                                                                                                                                                                                                                        MD5:D3EA01FCC02D9B41B5728CC7847A8770
                                                                                                                                                                                                                                        SHA1:D1FFEA472CE4CBDE80ABBCE9A97E8FDA496E466B
                                                                                                                                                                                                                                        SHA-256:53C93E21E4D5EC8DE3A53041C98E989810010E32C4DB9867F984B822A3E4DDA0
                                                                                                                                                                                                                                        SHA-512:10B20CFBE330BB509A9806CEF5D6018EAEABF7F4EC1D4B00AD777169CEACBDA09015B6AD0133A98249C9C3A772C9A5B1C1CE75CD95D38088B203082DAD9F6E77
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31784
                                                                                                                                                                                                                                        Entropy (8bit):6.538549275834895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:7u5I+sqOylryry8qqIfUc7a5eMEpYi60jEx:7YIVBpry8qqIfUcm5eF76QEx
                                                                                                                                                                                                                                        MD5:E8E0F247FDA6775E979278936773CF4D
                                                                                                                                                                                                                                        SHA1:F1837B866DB3E242DAE6300A87078A3A3C8CEA7B
                                                                                                                                                                                                                                        SHA-256:72FD1EDDED1175D82F667672F879DE89F3393864C0E8E017B235D937C363EF48
                                                                                                                                                                                                                                        SHA-512:70DBEF2F160C6975F0AC22DBCB1DF37D8E0D58600AC9648763C5C80FF783273FA106764A21950FE0E84D3B4B7C14CC9D46775C654927F9BA30E1EFE66A60BDF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ...............................9....@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8767449942118
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Svn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDqLygF:tS/I4EpYi60zgF
                                                                                                                                                                                                                                        MD5:9B1BDB088AAFEAAB97E1B56F08DC0D3D
                                                                                                                                                                                                                                        SHA1:DA3AC8C6B1B6D74C4F1F3050FE88F21DA7FF6A12
                                                                                                                                                                                                                                        SHA-256:5E5854E00F6474524CEB2B9348D12CF4DCF5E23FB25E92BCCD79021D1C4455D2
                                                                                                                                                                                                                                        SHA-512:50AB9265A88B66AE299042173496CAE1ACEC92C802C43808B13207FE0D7816BB7E562A6E7E149C3AC89210C995558795515FBC124D555760A111866B9656FAFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.772304532003104
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:j8MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoJzP:IMjKb4vcGdO7LEpYi60OP
                                                                                                                                                                                                                                        MD5:641981EF8C623D910769E212A83D6735
                                                                                                                                                                                                                                        SHA1:982525C04B1BD666A8158473ED0A67A4EED4C8AD
                                                                                                                                                                                                                                        SHA-256:5220D39430ED94F5D5F4A5CAB0BBD056E7D0D6CD7D3A9DB21F4903E25F6D0E13
                                                                                                                                                                                                                                        SHA-512:09355B8101A04FC0E8282AC54F2878A1C73B54E9A410F82FA9EE9C7C5A133C653C4E4B8C81393D25B528828CCE6E10B65DF1DCB55D23D6A24892F9FB6696D7D9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................hh....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.855127286564468
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:jzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYhVl:qztEEpYi60cZ
                                                                                                                                                                                                                                        MD5:AA1A8D60882998B37AEA93B8B0F9AB83
                                                                                                                                                                                                                                        SHA1:335E368BB3A8ED69C36A651FEB9872AB49E96162
                                                                                                                                                                                                                                        SHA-256:5ADB77F7A4579749802D914E25D9BB7292CA1803ADECCDD9038223EFE12696A2
                                                                                                                                                                                                                                        SHA-512:069202115F63DC67AF34630123DD6E2F3555535FCBFACC07019A305C637C9CC9C24E59B3AC87C480391C925398DB589BF9401ED61A5E4C357636838D40F5D64A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.861715639371312
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hvs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm83F+h:huM0xEpYi60PG
                                                                                                                                                                                                                                        MD5:2BE8F5134CAEFB9A00B91E24E206DD5D
                                                                                                                                                                                                                                        SHA1:6B27F4AFB1149D2D33F58AEB908A7032647011DE
                                                                                                                                                                                                                                        SHA-256:1DCA06F99361DA7B82330C2F404783B215172097B9759D0F959F20623820C1A3
                                                                                                                                                                                                                                        SHA-512:AF9B1576C592EBA63DBCE299D3862167319A6889BDD9DFE32E6CA0C80381E0E11C58628E47D239AE39D8803328B469706F326812693CD57D62D929E606AA6698
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................|....@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.825329865779318
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtAm:CFz1c60EEpYi60Lh
                                                                                                                                                                                                                                        MD5:0696BA69B6BA59A9951CAFED47DF6273
                                                                                                                                                                                                                                        SHA1:7D26CBE0BF5B1FCC513354AE3101976661FBCF5C
                                                                                                                                                                                                                                        SHA-256:4F50DE4025016F07FCE5BABF6808FE66679D300F077EBD945A1D0390C451A1E0
                                                                                                                                                                                                                                        SHA-512:C72D35896E0EEAA809FF4226FD8C02FCF6ADBB704CEF664A5447A68551621CE9FFCDD678349C175AEE14FD24F21CC8B7C80DC30B6AA115738637CD47FA4795CD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.723581060134435
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:V6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJV0ssB:VaB/TEpYi60zsE
                                                                                                                                                                                                                                        MD5:FD06D18F1BE9738B807ABB44E2F5EE96
                                                                                                                                                                                                                                        SHA1:6836D5F6B0AF26941BA3D78E9814BEFC9C5CEDED
                                                                                                                                                                                                                                        SHA-256:26F3C488991EA6CE827F4B396B27848C927D05CC2456053BF0C8DFC778C170FF
                                                                                                                                                                                                                                        SHA-512:87974450ED2C984E8C4CEEA2F3E4B13853D76927ECA737EC7E887625CE0E64DF47C7F87F24E33A04452C5AB6DC183CFF7BF3478498AAACE2ADC535239670758E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73256
                                                                                                                                                                                                                                        Entropy (8bit):5.953773274399766
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:K784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nP:K7N1r9KGI04CCAskwP
                                                                                                                                                                                                                                        MD5:E18B920B89D4E2F3625D42438757ECB8
                                                                                                                                                                                                                                        SHA1:723ECC3FCE671C7E6F447B309381955D8B703C8D
                                                                                                                                                                                                                                        SHA-256:C7A41AB3ED372586A398CEE2FFBF92BFCDF4CEF8BDC295B0487D16ABE9A5D305
                                                                                                                                                                                                                                        SHA-512:883315CD3C6B3FAD08E127490A02B0951150A025950927E8C7F485C6923791402627350B5A3388286E7550660A5BCF46E683CF2840CCFA5CC5A3BD55C3DC943E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.849548878888333
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dr97WquW6/Nyb8E9VF6IYijSJIVxkp9TI:DRJKDEpYi60e0
                                                                                                                                                                                                                                        MD5:43F56470C03597CCE7B7B3DC6DA6CFA1
                                                                                                                                                                                                                                        SHA1:4F6E2ED8F00E31A426A7DD73675A8F27D207BE2B
                                                                                                                                                                                                                                        SHA-256:FC9D370FB1849C2A0B0997918D3C65ACF6C7E423205D8703A77F8FCD5E5E5BB2
                                                                                                                                                                                                                                        SHA-512:8CA37813C08FC72DE100B3B1CFE56978669D0ED09F46A1D28E0C49EB5E06997B9E2AAB85A281DC1636457F18FF00CE94A3E572145EBCFF247FA86CB62CF28632
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................4....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.79281293776618
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:116eWLDWGoNyb8E9VF6IYijSJIVx4CU9x:X6LbAEpYi60y9x
                                                                                                                                                                                                                                        MD5:BE66409D7A13FDFF0C6CA94AB61B3F1C
                                                                                                                                                                                                                                        SHA1:2C040BC4D55002FEE50FE20F8C6CD7A96729FD17
                                                                                                                                                                                                                                        SHA-256:7EEA8127812C5124AE4F7C5EFAFCB0238E899706F751DEAE53A9D97229905A01
                                                                                                                                                                                                                                        SHA-512:B8EDAEDA30468182FD94DA5DC04E5C9FFE1E14A3C0FDEFCBA1A3065A47835613F7FED1302D014470C861A271721EC10E02472367F8A53DE50AAC4BC8F3CBBC33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ....................................@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.785588117822593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxPnxifD:iGZ5OwEpYi606D
                                                                                                                                                                                                                                        MD5:AB604111EF57C8832DF3CE07976C2CF2
                                                                                                                                                                                                                                        SHA1:90C54CC3FCC4BDCF5A8677566C526ADBC4444C12
                                                                                                                                                                                                                                        SHA-256:CF13AD1EA509E4C173146E5A454DCE9583D4F96EEEBC8E23AB7242FD2E445CAB
                                                                                                                                                                                                                                        SHA-512:8847203DBB91B8E65182CC90641DEA2C626871298BB6B6B733305FD08E3FF6014B80371945FA8CAD126008BD9EA50D8E5FB9B3AC0F50D8FFFBA354FC7F2327B0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................S.....@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.900734471860413
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:u6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPSq:uYT1cREpYi600F
                                                                                                                                                                                                                                        MD5:41F03BCB1615BBBFB3B00A2B625C6173
                                                                                                                                                                                                                                        SHA1:6734839529890439679EAD4989D4EA551C2C9B6A
                                                                                                                                                                                                                                        SHA-256:F56431A66C5D9FF433030A2E92629BB1095F7ED81DF1AEDC1BBDA8570A706158
                                                                                                                                                                                                                                        SHA-512:81776AA716434D1B9BD585E145867CDE59EC2D21711E70357E8BA3BBDF094FEBACD5B6434AAA66CF4FD9C386AFBC750DAAF0C608A1D2F7F045CE52E5E14ACB57
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................B.....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.809761449499968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILsqO:6M7c1m0EpYi600u
                                                                                                                                                                                                                                        MD5:E62F5F14879F26F022731161701AED24
                                                                                                                                                                                                                                        SHA1:63B8FCFE9D03D96E21D0B7D5C27C53DA6E3B20CB
                                                                                                                                                                                                                                        SHA-256:505811F2E6EE6645C441221841A3E360A112BB623F1B4F613053C6BB3FC9BD6C
                                                                                                                                                                                                                                        SHA-512:162701941DBD95CE2D78A67A0A2C2E4F90574FF5EE17940B9962901BB8808D599741AEF3945FA3832E17BCC876DD69EAB8DBD9289A5976BCE222C910E58ADF5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ...............................P....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.849700921094487
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:z+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nCM9QA:CSWnRWJ0Nyb8E9VF6IYijSJIVxIOnA
                                                                                                                                                                                                                                        MD5:CA2F69831763CBA787162A50A337593A
                                                                                                                                                                                                                                        SHA1:61BAA08A09396864EDD1C375D4BF0AF32E0A99D9
                                                                                                                                                                                                                                        SHA-256:B6CB920F4B147A509BEB3ABCD1D1C28A5883FD2500082B47FC852E620939C38E
                                                                                                                                                                                                                                        SHA-512:3B5FAC3FD5F6717D38C24127F4F1577C6811002A48A7094B4887575BB65A5BF651027A19AD3325F2F8ED6403498279386B8FF1F0AA8FD0A684057EB81BB22416
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ...............................8....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.048363823752778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:XgIgJgGQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:SVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:5D25A5D8D13FFAA5AC1786D690851632
                                                                                                                                                                                                                                        SHA1:27291DF461C550D693BFEAE923A63FF27391E155
                                                                                                                                                                                                                                        SHA-256:E104900680CB96704ADB5C023AC08D373C087626C89D98AAF4E1AFBE7F0D2A62
                                                                                                                                                                                                                                        SHA-512:2E74450D9C1837321A0B2DA9DEB958D4AD5C24D0BB161A32BC5AE1F14DC7F21953B0F91A9B9C2328E2FBAC579E1A4ACD25B2C2284A7D5DE1262CA2FD6758D196
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-03 12:19:06.1632|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:20:27.5725|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:22:34.0511|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:23:53.5980|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92712
                                                                                                                                                                                                                                        Entropy (8bit):5.482925373003337
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:W2Ec05j4eAH64rh5fSt5T9nFcI94WYG76s:VlK4eA7mDmWYGL
                                                                                                                                                                                                                                        MD5:C369D3D7F3A1C4687B0634B9722E0C67
                                                                                                                                                                                                                                        SHA1:4A376CF65EB82627A9966D04557E44A47FB17C53
                                                                                                                                                                                                                                        SHA-256:274EDD09D51A2040A2DEADF5D37AD03A416CE71B3000EDA22D4B6C1EE4B1E6E9
                                                                                                                                                                                                                                        SHA-512:42FBBCDDF1C0B4AF3E2FF48F9450ABF3BF8B06657305DBB9E947AE6F4A4C8F9C2A631C44D351011545BF56B6A9CC537BFAAF193C9A87E0324B838B1C388F24B2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ...............................p....@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3024278
                                                                                                                                                                                                                                        Entropy (8bit):7.999921356190602
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:X/B/yHXbR7HpAB9ld4IGhmvgZCC3UAjw3vSRFaqnZGwTY/BFZ0CoPgJRrKrSTthP:vBsl7JeldOZN3djw+aqnowkh0CoPyRdP
                                                                                                                                                                                                                                        MD5:7805EA1A8DD15CAC328B826EFE38C2A9
                                                                                                                                                                                                                                        SHA1:66FF8EAFB2424717C4394BAE28A8683DB1244527
                                                                                                                                                                                                                                        SHA-256:7953E6A41847989284B02C4EF8022AC696DAE38EE9FAEE69CD1FF7814563C514
                                                                                                                                                                                                                                        SHA-512:17B6B6ACE9AB361FC2BC0C54A063EE67EA09A3FF01CAE4FC31D4C7FC176A7C1BB076E8766ACBE7FD5E3CD6D6B4357F926669F27BFC2523059F0465CC28FC162D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......FnY..=.........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(........n......B@f.ep..L..+z[;r...E7.x..r...L...U,8gSa.26......]8...|.......q..>...n+,]....R+..L....u.^..$di.xKQ.Q*..W.l....f....i5Q.f.1......2L....4..9.A..$!..r........tW...b.*...."y.9..f.?'.Tc..O*Pa...c..X..../.....~C..,k..:s.../..d.j.N.C$........;b0.'.S:.(>!..E.v..@......|$..oJ.7r;'...n..#...B..2..,P.c0..@`D.*.G...W..%o.@4.8.V...f..np:t<t.._....a..<.......X.m.`...V.....#...F....Q..'PKl.-v0....V....>.._a.#...K.4^.Ub.Z..E.....}..._.B..p..gH.,..M..V..A..3..g....;?\..*.r........P.{~d.8......}.G9.....0..G.*.3..aO.1r.]....bNw).Gg....A.......P....PC....P.n.g..M..T...W.#e.}.S..nk.@......dj"......fi. .Pb~..L..b."i...d:.9.4...s........+n.Y.S6.c.1...8GdK....<G.Q.c..2M..M..<..D."..D.....k..T...eW......V..m.tN..n7.y...[./vF..g.._>*.l.......(I.7{8..>+.y../.E.....oQ'.. x....E....]..+k..k.]^...W.._%?.,....D....'r..;S..k.v.u..8h...U)|1W[.4.8.jp.p.gd..r....J..[.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57384
                                                                                                                                                                                                                                        Entropy (8bit):6.169833271742037
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:4Z9Gx/x4S7IRQ4E8a9djzhXGKp2/Wy2IDcbxPuYL6qFb8xtYcFm7B6K0PEpYi60w:4XA2EPVzj2/WUobxYqFIhm7Bl0o76t
                                                                                                                                                                                                                                        MD5:0F33A7ACB33960D1306BA418405D8264
                                                                                                                                                                                                                                        SHA1:BC24C37727B00D514446C8B5FB6C04F36254A067
                                                                                                                                                                                                                                        SHA-256:A43F099127BFE1640DECA971252E573FE1745B04F29AA6B2FD672226799739C6
                                                                                                                                                                                                                                        SHA-512:72A99786ACD4B1322E63EB253BBC651D5EC0FEE83984E5214C3FAF7AFF489389375BF724ECFCFCE5E78905BDB3E7D8A99DBAE424A59B73D38A55BE0657C1EC33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5g.........."...0.................. ........@.. ....................... ......[}....`.....................................O.......................((..........t................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........Q...l...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1251
                                                                                                                                                                                                                                        Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                        SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                        SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                        SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLW:WBTi
                                                                                                                                                                                                                                        MD5:D763DEC5F2FD2416D1AE6AEB7E262F16
                                                                                                                                                                                                                                        SHA1:DA0C2647112555DE35B190BC90002C5DFF655A80
                                                                                                                                                                                                                                        SHA-256:DD46598A81059BBB64D4B0C7C45EC15ED7351C52D3AFA060D50519C879546461
                                                                                                                                                                                                                                        SHA-512:E8087773BF501589A16F6C06579542F8A324EA4A4828D03B0B9B955FD60F74CE220B3666560E5F5686F356BC86B90A7DC233B1828B6B7A5DBC8A187E9B335E81
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.178658900953907
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Qgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tU+:Q0jjnl1wuDYjQbQgLbZs8DWdKw
                                                                                                                                                                                                                                        MD5:4321E87C9E3D185C8220158548DC35C3
                                                                                                                                                                                                                                        SHA1:E2DD9AD093D4188F1AD57DD6DA3621E4597D9185
                                                                                                                                                                                                                                        SHA-256:C144083E9BE615ADCBBB5D24A390551FA8694D9531FA71A7434276ECF71983C9
                                                                                                                                                                                                                                        SHA-512:241DA9A09FE7F31D9716AA2080CA5CC0F58C595104AFB866C8282A3318F54DAA773721E4C682463662F6ED12F99B121659C5EADC61D4082BE211A4426BCD8DA4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ..............................~_....`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.309605302762928
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:OINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgG:HNsii6v/HS0+OJd5gpKm76tgG
                                                                                                                                                                                                                                        MD5:EEEE3364B34619D048A4ED27153296F6
                                                                                                                                                                                                                                        SHA1:7A41D5A42AD636C393FF839437D807528EE1E65D
                                                                                                                                                                                                                                        SHA-256:E39F30284BBC4A9E9C82D5B15037E32B1318EDA52B95BCC0085D107BAB10EC96
                                                                                                                                                                                                                                        SHA-512:EB8037BDD743D4D40B3A56C486C30DE1F4AD639B73E0E9843F8E60620CBBDA8EE217FC622E740AE5B4652A36C2C360E98717910EA7F77ADFBCCB7DB390C58ABD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ...................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134181058032448
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:ejS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvK:e+e55LgIkTmyAAfTnMLvK
                                                                                                                                                                                                                                        MD5:A9A5F47594696F9107B0892536CBFAC4
                                                                                                                                                                                                                                        SHA1:ADC553C37025992C2965B5F6B96C2B5820F62037
                                                                                                                                                                                                                                        SHA-256:1EB13E4B8F48946953F4336A93A1E9674BD6504E5E0B63CE77F46C258B89D7F8
                                                                                                                                                                                                                                        SHA-512:8A58B6DE7D42EFD1F4D36ED52160FC50AE56FB6B1FD2F7C5BD0BD4D9E664575B1EE6A5FCF02C1666BAF159911E20C140ADCA5C30287D272E251EA18C10744EFD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960577264848236
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:wBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU6:wBjk38WuBcAbwoA/BkjSHXP36RMGz
                                                                                                                                                                                                                                        MD5:E6BDCD57A632D61543C80D62F3784232
                                                                                                                                                                                                                                        SHA1:F2CD47B77607BA7DD33C2ACBF372D949CA14E3DC
                                                                                                                                                                                                                                        SHA-256:571DBA9B4C1A94703C35136BC1F682E0E5FA8F222C5955257348064E436152EC
                                                                                                                                                                                                                                        SHA-512:4FC1CB6664639CC50AC528005B748473CE1E6DA8280EF786B542500DFF55E9D46413E16B08D2043620BF08A52E9FC52507D2A71A550C7751517E7D38D8B985AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.674654059947427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqMD11bO:GuhMaVmzDC6k0EpYi60B
                                                                                                                                                                                                                                        MD5:F745303665023AF39C03F5B25E559984
                                                                                                                                                                                                                                        SHA1:C4D87A1C1E6B861CFCC8472FB4C653E1966EE8E8
                                                                                                                                                                                                                                        SHA-256:55E85E39A1E296997D2D7D518B7D787D76757A9F820F34BC44F22F5F9B89DA70
                                                                                                                                                                                                                                        SHA-512:C3F0CB14CF00901751BE232D81334A7E889BF036B6C58385E90E85BF53CD44D870CC4EB0B8655B9EC2F333A1BBC1E4A513A28DD7B61BD0A6458743B91A84F289
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................$....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266920683963625
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zmC:MKC9niwOepJ6TJPeb6NIUFg76Kzl
                                                                                                                                                                                                                                        MD5:C86B70CA0BE8A42272D5DB6EF2F7B1BE
                                                                                                                                                                                                                                        SHA1:D350BCAD7D7D32BD14B4A8301017D0F2DB33FB41
                                                                                                                                                                                                                                        SHA-256:ED0C48FFA98D7C89FA6F311E20F3571EFEB4A56B8EDEB266D96761C32B38618F
                                                                                                                                                                                                                                        SHA-512:ACA595A6A07750E7D303F85FB612F68CD496169F18A6EA3D1E11F780E1A4D70E3B99AA9A1A3CC19535DF7BD74763188A2EAEA15C1EC7BDD2D7FBDAE1DE5F7F56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@.......1....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.179016784314816
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHx:sh0qjC5RMOHO420kN1W
                                                                                                                                                                                                                                        MD5:B9ABE287AD0A2F291327D6F00C761BB5
                                                                                                                                                                                                                                        SHA1:73CC7DC868EF9536210F02F3B2E6EA4A546E6A98
                                                                                                                                                                                                                                        SHA-256:EB10C42EE75C67F6EABFE64FB34AC6D72B1DF58B781B7865259AA0DEB7E57552
                                                                                                                                                                                                                                        SHA-512:F95A7F9E1A82C1BD965FE5131D89897A30506DC384FBD244864F8194B3F56B77A4EDE9395EAB5B505967FC1C415717F99925CD9B7DBA3B820A846655DC852B7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......9Q....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.6333981651665255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:CTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08V2:CCn6xYEpYi60k8A
                                                                                                                                                                                                                                        MD5:138CE91611AC5090EB40CF4A0F2B74AA
                                                                                                                                                                                                                                        SHA1:E6F142768460337EEAB0B7152ECD6B634E466D1B
                                                                                                                                                                                                                                        SHA-256:05C85624897BF4BB08FDCD094E78D1ED81902377EF402A0C4309C6BBC58E2BFE
                                                                                                                                                                                                                                        SHA-512:7EEA7DEFA86FA312E329F40D47BE20906F7FAD70CA5E29349DC5A71A8E9DCD5B63505E214D36ECAE71841AAC46D303BEE0047958508CF3A584D7339AC00C637B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................p.....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):50216
                                                                                                                                                                                                                                        Entropy (8bit):6.213716886100613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:y9m7rm+YASu8BKi8d4R/eDEW2rKYLSt67vIkBnC5bPy2EpYi600:EzBKzGeIWgnL5Bney376V
                                                                                                                                                                                                                                        MD5:CD530F4628A82680E284AF9EFEF25F8D
                                                                                                                                                                                                                                        SHA1:DE2346DBEEAB2ED697AE76416BF32D6149B7863D
                                                                                                                                                                                                                                        SHA-256:C4D19CF1620682FAB2B8B70F2BB9BE60D4C0BEBA65B67E5CB6DB46501476841D
                                                                                                                                                                                                                                        SHA-512:B2ADB474196A3CA72718A96B7B09E664670BD13BAD0A6623C335865A75B9B2EB5FC9E26B0C4E28016AD3CC1434C73BA7BE5CB0D1855AF1466F7A9C6F7C02A2ED
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x............." ..0................. ........... ....................................`.....................................O.......................((.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......PK..xf............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1140
                                                                                                                                                                                                                                        Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                        SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                        SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                        SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655016
                                                                                                                                                                                                                                        Entropy (8bit):6.267123141882142
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:JCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjP:plV1qKpkfqbjeGVr4NHYJ60iP
                                                                                                                                                                                                                                        MD5:8DA1CF99F8030C72556A0BD7AB81F14E
                                                                                                                                                                                                                                        SHA1:A8FA11A6A15E6CD86EA886D971C2CF07D6782F1C
                                                                                                                                                                                                                                        SHA-256:3D6DBF83048F9392409DF147AA2FBC42A56D7E5A73D55A3E1DADAC9A07519687
                                                                                                                                                                                                                                        SHA-512:3733ECEA27B24FE747D632CF0D67F7659FF9073E33A2D27B8F805EEBCE7DDEF98A757FEABDC271AEA665A490C9657C376E1FBB6A513AF6D47C9EC64C6BA73E61
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e......1f...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280616
                                                                                                                                                                                                                                        Entropy (8bit):5.690900765575316
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCi:eJrycoB3HVeESME3pnaVTS1nh7hCaX
                                                                                                                                                                                                                                        MD5:C96369C03A7472F30A84D8703BF58FF2
                                                                                                                                                                                                                                        SHA1:EAC791B882C0DEBDABD314BA9651FA1787D12F2B
                                                                                                                                                                                                                                        SHA-256:9201A9DD87D6635293AA737FF0235042D4E385FB8D014BB79D465AA0E50482AC
                                                                                                                                                                                                                                        SHA-512:E3761006A7D50D4CE50F05A0FEB3160A972D43889A2B33E485624E6CD256386722A58FF34204D4ECE0361216BD43E97885BF9EE8F3C5A4F0A111953C17784B79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`......Y"....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342320
                                                                                                                                                                                                                                        Entropy (8bit):7.999279226606494
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:zCX44JuvYHfNvQDCV9C9QRtagzQRsmvxGGMITSlohEkjH61vq6bkE8RwR:SbJuvYFQc9c6FQimJGfl0kLbkE86R
                                                                                                                                                                                                                                        MD5:2E2E6E6702FA92DA8C08FA85617FA861
                                                                                                                                                                                                                                        SHA1:BEE96D85E39FAA0D6F60FC797E0C4F0E9C01ED67
                                                                                                                                                                                                                                        SHA-256:565BBD4ED69C929CB00CE6552633382BFE46248B6E9DB3293B9C031875C02B35
                                                                                                                                                                                                                                        SHA-512:35EAF569F94C69749308D30722589331EA1957F3A11F440B1ECCC4AA32284681162128B2FEBEF76C75181B49E5E57D780685A22E14E1900FFC7ADD3F83AC075E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....2HtY.6.q........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m.......2....Rg.O..^^..o....'..".~.,..i....;......u.....{....p... M.7..t..j...@&.....di...+-...(:~.l.a..Q..{..|..c..g#..aU.-.../.b$.JzK.C...6@.....pf.f.D}o.x.z...". ..I......q_9].cV..56[....L...0......P.....9....X.*P..K.?..Z..V.;1.@T8.j]D.O)\.,.. ....i...R....F.Y.@...!.g.y.Jr...0YW..1.7O...!(.@...9...C......7....)..}..(.....b*.l`0.[...=.w!"~.L..bK.`u./..d.rf.,.....n....7.$.n...v...u.....;...y..L.>..Yj.....&>.#.ez....B!......8%..m.....p.{..*..&}..."....z.S.7cX.<.Ma..?E...b.4..R.o`...F.....X.........;.!.>...Q.I..._..5n....v...Z..'e...............s....^.WwL..*..g}o..%A>.....8..e.......Rd...Ac......... ..pJs.3...*R..k..)v...0..ae%....{.-..}..-...v?.<.ak..."y...a3...........PMD.?..!a.....C.x`W.K~i...j..[.~P.p.........s.....iI.p&.at.o_.4^.Ci@=...h....{.i.{.v...V.?.#..huV.p_._..h....{gp.M5.}....e$..q....h.[.0....%....j..h..A8.......4...9 @bM.1.C.4.rzK...d.}..Tw.vhG..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72744
                                                                                                                                                                                                                                        Entropy (8bit):5.510418686208001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:c8V32fcPq9s2k7Xvpci+yLYCJoUu7A6Ruh763:XK2na02B06Ruhc
                                                                                                                                                                                                                                        MD5:5129E29D4D9A8ED94E04099622316B37
                                                                                                                                                                                                                                        SHA1:BE1C537AD5FC51BD28BD3EA23E16CBFBDAF01DFD
                                                                                                                                                                                                                                        SHA-256:17C1A413747E1DBF203F1824E45DDC0DC7AFE4C529BCA88CDB670F019D95DB11
                                                                                                                                                                                                                                        SHA-512:7B8A1D79C069CDCBEBD57255D11D96E13E291DF8B99C15D6C969A66EF8AF8639FAC92E22B233B4B6F8B33A9C52BA2936FE59ECEE2ACF78C571F4920EA075E4BB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=g.........."...0.................. ... ....@.. .......................`.......t....`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXRLX:WBRj
                                                                                                                                                                                                                                        MD5:213DA2B23EC7EC5259829958B2CF42BE
                                                                                                                                                                                                                                        SHA1:5B7DFB867ED116395F0C8D8299D7357E1F5355FC
                                                                                                                                                                                                                                        SHA-256:EB70DB8191A629C3C2A53D07EE68CE9E4A906DEFD701B4A08CAB8A410DF29457
                                                                                                                                                                                                                                        SHA-512:2B5500F9062C8C44EE4BB2BA81F4B0F948E07C1182525FBDC72A1AB6E304055E04100CCE41DC3E68A7CEC3557ED39A755EB1EF38E3DB6CF56102F5A20E6601D2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=24.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.180034210973002
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:pJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762sx:pQUm2H5KTfOLgxFJjE50vksVUfPvO1Ox
                                                                                                                                                                                                                                        MD5:37ACDA11522DCA5CA700D98F9B493B79
                                                                                                                                                                                                                                        SHA1:622541476D6A7FC154673CCC3A62F5999EB59CE4
                                                                                                                                                                                                                                        SHA-256:DD22E28BC66DC15C7DDDA8492E790BFDFE523D65D166290E48BCB4E7F999F942
                                                                                                                                                                                                                                        SHA-512:C41BFC19D8300C800F7B175985C067A0649DB2536E92A5D13E6DF2DB7B47626008F5633B56B1E0CAA66631BB1DF711D27A47101E7BD46616EAC2E73856E61238
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l(....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960704142324475
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:ABja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUW:ABjk38WuBcAbwoA/BkjSHXP36RMGH
                                                                                                                                                                                                                                        MD5:D744CA98BDD1018DAC9A5B91D4D01FBA
                                                                                                                                                                                                                                        SHA1:2D6662A8A81595FAFBB7C592D546791DF06B0F91
                                                                                                                                                                                                                                        SHA-256:4D4FB6E682FDF3A69861FDD43C2ADB5E4086A43BBE888C40344F5490BF326868
                                                                                                                                                                                                                                        SHA-512:CC8A56F1401C27655B7F5CE8064C73BFF20A1A1FF438131BDDB04B684F5EAD56D1EF9C5B7B9B110EFC16D9A46C04C5E939A3E998D9FE9BEBF1BBC7940BA3565E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......Q....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18
                                                                                                                                                                                                                                        Entropy (8bit):2.7946534735443422
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WkmD:WkW
                                                                                                                                                                                                                                        MD5:5B67DA91B3CB005F8EB2EDF73E8FDDC5
                                                                                                                                                                                                                                        SHA1:A45B61E38B0D681782F40D3155A1799F057786D9
                                                                                                                                                                                                                                        SHA-256:F49497F2F44821475AA5DB5E2A675D2670B4E9581AC6262BEC910B98F49806F5
                                                                                                                                                                                                                                        SHA-512:0B50F5C1620FEB63D23CDB56B6021DE1C1D1EBAF82B64651BB3821E8DD438FE4C415237095C9DC37239BC5B8D63D3F81ED9B3E53D9C23EDA90EB52021C33F341
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:638688250764240826

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1560
                                                                                                                                                                                                                                        Entropy (8bit):5.064435661629352
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:w1Q0/bqd+sVNPwleiQ0/bqd+sVNPwltQ0/bqd+sVNPwNEK:7Ubgd5xUbgd5rUbgd5c9
                                                                                                                                                                                                                                        MD5:FB1D0902E6F2E3A186BF00E076048B7E
                                                                                                                                                                                                                                        SHA1:C5CC4288153CFFB42F0F9C983829225A19286F04
                                                                                                                                                                                                                                        SHA-256:117347767D95A59C3E9EB7C1DFD93F36930B2782057B72C32281E5977846510B
                                                                                                                                                                                                                                        SHA-512:02179AFF562C117BC428381692C9BF42D45535E70E3440110D0EAA7108AC8910063149B93019F1D0DB14CA10A4E9DB7C2B7D483088E4A162EFE37A5A55BF6BB3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..03/12/2024 12:17:56 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..03/12/2024 12:17:56 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..03/12/2024

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3264797
                                                                                                                                                                                                                                        Entropy (8bit):7.999874275656608
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:wmlKzCGP3O8ZafZGor7w2Xtapa8vte3kntR0+:DnGRZafZ2ja8JnXz
                                                                                                                                                                                                                                        MD5:FF671B6085BA35E1BBEBD5D2389AB7D6
                                                                                                                                                                                                                                        SHA1:D7719A66E303C4E854FABA873B781E0084F36998
                                                                                                                                                                                                                                        SHA-256:4F2A43098F6EFF50A03FDE9E134A4C8B7DF6FE7E9A9C6913AFEEFE0DEEB1463E
                                                                                                                                                                                                                                        SHA-512:F5A63EEB6A239D7BE9935CEB1240AAE7C9F3A8D5740D665B5FDE6F28A7667FEB345F88BC440EBE7D6A0512B448F4E3772A49823BC6AD8BA7372E0A31B5F9F200
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....`mzY.W........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........@.e....R.l....bkS.b.o.&.....7.o.....6.5|..>..B.8.+C8..*c....j0.....f)....El._..w......l.....E.R.......L....,..|.}.?.1.5z.!.......<m.~SB....G.&.....e..?..sS.E...+.^..".t....r..bPD.G.........".Na.-oN$lg>...[..u...6......R...x..C...u...Y.}.........w-|I....I}..R.\!.A`..Bw.4..(\...f38.I\g.=..Ud)..9..r5...+.p..N.T..H..O:..{8w....d.T.M...;%*..........:.Lm.rh&.j&.F...]..h..u}..&.a.#ev..5......}O.?;..xQ....\....wd...x.)...m.Wc-%..aN..%.M.-..B..4S*.....v......{.].+^{.*_..E...\I.xR...Cv.s=F.....y.g.}iE..r.X...R8..b.1.H%....f{.M....%G;?..G........... ,f.."BH...[...9....@..b.....6..8.....f...XL.K./oi.WM.OJ..e...".]] 24B..n.}..E..6~....~6....g.-........f.&T.zZ...%......^.x...Aw.0...R5-p..I9.J~.^].gj......Ok.....hP..X.c..../.o#.Fz.*..Y../.j.!....-... ...QZ....R......%e.....y...+./*^.i&."HM.v>..(......rzf..v'4...G..n..m...a.>..\..jsM...F`...X.=txRV.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33320
                                                                                                                                                                                                                                        Entropy (8bit):6.271212916167532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w2G6bukIMKWcoIQEIhL4lylU9vfWtkfoi75yHiDMMXpO64REVmiRWNyb8E9VF6Ic:VLKF6EIR4lXdIEDLmeVmiR+EpYi60Lb+
                                                                                                                                                                                                                                        MD5:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        SHA1:C22897EB20900A66CF62023C37D6A7D1192AEC3D
                                                                                                                                                                                                                                        SHA-256:0263A627BBEA55A66DEECD7A43F8537BB68B5F95BB3D4269D3E594BD1D851E64
                                                                                                                                                                                                                                        SHA-512:B56B2143A60E6153E7FB752029C72D78547D5253F32ECBD0DDA5A8ACC5C3859292E860162B11A041A37B4F618F4425484B4E2385D7E2C621C8CBCED073E3A67E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..N..........~l... ........@.. ....................................`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1537
                                                                                                                                                                                                                                        Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                        SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                        SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                        SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.179971319993443
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj769:HUpviy8UHTRxrybQgLbGm8FUpjO
                                                                                                                                                                                                                                        MD5:FD50AE7287B550575E360113077053E4
                                                                                                                                                                                                                                        SHA1:AB7C072756C7C9E6164580BA9E1E9D1E025850B5
                                                                                                                                                                                                                                        SHA-256:F3C49E6BFC2CEEDD5C3F8D5C07BB5D98E6D2DEB494B066B0878BB3B34136A140
                                                                                                                                                                                                                                        SHA-512:B833CFF36ABFFA34E0BBE8F87F63C24FE3F4F95A2D2C5C7C694F39D21B3E6761D57F68B052FB6423EA78D348214BA5F06D7BCF56F4C10355F3B088BE71D0C6DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ....................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.2029293745881775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhA:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQB
                                                                                                                                                                                                                                        MD5:1AE3ECAC33709823C5C63FC0EEB83C1C
                                                                                                                                                                                                                                        SHA1:68A940D985D93B5EC6BB0629278ED43100DB5C8B
                                                                                                                                                                                                                                        SHA-256:8D39FD0909B98939C03F8F364A8306B53E1AF02F6C122285EB2405E6D390F118
                                                                                                                                                                                                                                        SHA-512:9301F5C579D1B1EF6A0BDB7F29330CA8BA1C32613E9F34132D8E97D9A671FC427F98A21D3E272ACDA72D00BCBCD13F9095E7592C6F67527BE135D1B6C9AA2E15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R+....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310987006425106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:GNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                        MD5:8A538A202FB4CC0BD0C8F6DF1B00A7ED
                                                                                                                                                                                                                                        SHA1:A0A609D7C9B4360830902BAEFB6DED9A80C68CE9
                                                                                                                                                                                                                                        SHA-256:650CAC5CAD71CD59077578A6402A829FDF1DC6542DF7C5AEAB996B65FB676BE4
                                                                                                                                                                                                                                        SHA-512:D4D1873F51064A4D151C2950C058087F0F2FEF3496C38BD5206718B74490254652C09FB683A4A8096C51DB4700F029C74DA3AEA59EC1C924E28B181912CDF140
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.6707658881278595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFx:bSJh5tIYQzT5zyF60aEpYi60f
                                                                                                                                                                                                                                        MD5:0C45A5EDD0217F927DA829BCB69B6EBC
                                                                                                                                                                                                                                        SHA1:EAFC8785985724EDE5BE9A01BAD2216EAF78D3DE
                                                                                                                                                                                                                                        SHA-256:EEA3E8AD892CC4EA203ED7C19EA2B0DCBBD415DECCCB407A38ECD785C1A97FB2
                                                                                                                                                                                                                                        SHA-512:23D958CEA8246E57DBE5CDCD7D25BF4B18900004B9364A7492B6DB754B021E91813C32FCBA89D3529503100D51C81B30C236A2D1BCE770EEE2313CC4519551E5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................s....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219176
                                                                                                                                                                                                                                        Entropy (8bit):6.062603743526206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl9l:zYqqbe2CSod5dtM8ww7Pz
                                                                                                                                                                                                                                        MD5:5B3A6237E3AF3C7AF02CE7F3F670D241
                                                                                                                                                                                                                                        SHA1:05E79F3693B9396B34EDEC73942A9C03951412E0
                                                                                                                                                                                                                                        SHA-256:0F7FBE7E66A78174FCD84748572C4F4A2D03BF4D14BEB2670ADCAA51661A2A8C
                                                                                                                                                                                                                                        SHA-512:1844D5FC440446875FF4ACE95D520CE2D7D0E19CE004968A19DAE4244C8CB8CEBAACD7627F406D6F54B3DC00B6DAC2E497126577C2CB496A184E58B8B6421E37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................M.....@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302120
                                                                                                                                                                                                                                        Entropy (8bit):7.17562583053395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iVub5mx115y505H0jIfJMSFk9X0jIfJMSFk9i3:s6wJMykwwJMyki3
                                                                                                                                                                                                                                        MD5:9D2ACE1AA982BC225B578121C5C2F666
                                                                                                                                                                                                                                        SHA1:44A5F15565CAFE89AAD5AEB5AA7439AD18B70461
                                                                                                                                                                                                                                        SHA-256:66D62CA3B40E51E98FE11738E467405AA9A0BBEB14671F2FF158A830E87C6D57
                                                                                                                                                                                                                                        SHA-512:7C31721AF889403180240A9C68C1DCEEA8EB94C9C3E903CD9258E31E784AD8C62D9DDD372E78F5FB9A581DE68AAC9DCAE5C6C466894670EA27A21DAB3758C602
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .F..........." ..0..l............... ........... ...............................c....`.................................?...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B................s.......H.......$W...u..........@...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215080
                                                                                                                                                                                                                                        Entropy (8bit):6.030450621120585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:N1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7so:8Izm6pOIgvr7R
                                                                                                                                                                                                                                        MD5:A60919C8F8E65F7518286F804E54DB5B
                                                                                                                                                                                                                                        SHA1:9FADD4B771F00E87FF3DDD6C2B3A6FD25A1DBBF1
                                                                                                                                                                                                                                        SHA-256:FEB7575C2D9205C20A4526F60BB69CD631088927B6E58DD59AD561C792122803
                                                                                                                                                                                                                                        SHA-512:93517F2B5475BFD58986620538EF059C1532C2D653BACF8B67FF9A58D2F193F2A4A2338A27E2A0FAA51FCC88CF648BFDACAB261BA4BCF51A73BC815C83266DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................x....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428794433901
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:++e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                        MD5:2B53A3CD189BF49E88B602C15418EC29
                                                                                                                                                                                                                                        SHA1:FA3D80250D1F3BD34331FB6FBF7DBEEC7D50DEF7
                                                                                                                                                                                                                                        SHA-256:013A5EE19F0E3EC57CD77B7D6D85EB7C5F8CC9E631E6D04388EA83BF0F307DC8
                                                                                                                                                                                                                                        SHA-512:1221C8961F330B3F50A6DA56ACD54EDEC82E38843C3E2470DEB5F25A62E21927CEF688260221CA277C151B1C5266B841D7F1EB54EFD7C4C2036ECAD72624FDC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......`....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960710652636906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:jBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUH:jBjk38WuBcAbwoA/BkjSHXP36RMG6
                                                                                                                                                                                                                                        MD5:2E417388C1A053781655B4F14909216F
                                                                                                                                                                                                                                        SHA1:7EEA1424B92A3CDA918D9364557CEC4954397663
                                                                                                                                                                                                                                        SHA-256:C887F1417108311D77C8CF6E2DB1D95337ADE1E1BF95E0813EF5A4B8FE92110E
                                                                                                                                                                                                                                        SHA-512:472B5ADCE66638E5FB5A77D686CC0E492BF61556F6B878CFA74FE83D817B8BD057550806B504EA29A2BE91D3C8795B089DFDC83ACA8660B59DAE0180721E1E67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../w....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154664
                                                                                                                                                                                                                                        Entropy (8bit):5.990387112012148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Z4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3d:Z4wZywKn/U5xEwKIk0Wm
                                                                                                                                                                                                                                        MD5:B945BFFBD7FE6C1B5CD7572EB64FBE88
                                                                                                                                                                                                                                        SHA1:8FCC3551664ABB2D870DDFF456F43110BD0B8765
                                                                                                                                                                                                                                        SHA-256:55CD1DED0A3241E59E8F4DB1D97F3805C2AEA17AAB1AC070BCD7B3608201B751
                                                                                                                                                                                                                                        SHA-512:3F7B120800547C96F1C1355ECBC566984775637589D3FA26AAA7F526DF2F6ADFA670F5E17A11BA00C1E2E0ED6CFEC20BDEE7408EA9BFB1292DA84402D321C443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.670013589446811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAw89:4rMcXP64LEpYi600
                                                                                                                                                                                                                                        MD5:941F9C846BA51963D7C3EA4013BBB798
                                                                                                                                                                                                                                        SHA1:BD5EC38B867EA815F89B9C097EE6CAEDED412398
                                                                                                                                                                                                                                        SHA-256:4201A3647C90EA19E6725F458C6236B5E3683D4BEC6FCBB785263DCC1E85D040
                                                                                                                                                                                                                                        SHA-512:3E2F8371ED5E19FE80D7FCCBBE17D109C684FBAC465C6BB1D3C111B31E18F29B8067A9B5BD9AE5EE2F8621DA8E6ADB397382DC4EB27D0CA37B6A1E479CDD81BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................y.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420392
                                                                                                                                                                                                                                        Entropy (8bit):6.10961231240474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:v5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUF1:vpjblhW1V
                                                                                                                                                                                                                                        MD5:D8C8189A5DD97106CCEBA79018923673
                                                                                                                                                                                                                                        SHA1:007AA2E568044189342BD978402651407B2A48A3
                                                                                                                                                                                                                                        SHA-256:C84CA9E85E70A5E633154275FBA1A493CF6BF69B5E6004004A957675C750B56C
                                                                                                                                                                                                                                        SHA-512:3B47301F035FF31CA9B2B2E516DFDFC9BCE210245BA7F1488BD19432100936B959182FE4C29109D962ABA133C6B2010BDCFA5CF70678FAF928F914E370C66BCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ...............................S....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266720718777246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zlDW:FKC9niwOepJ6TJPeb6NIUFg76KzI
                                                                                                                                                                                                                                        MD5:54BA7A33F778C14C858F8478AA7CE11F
                                                                                                                                                                                                                                        SHA1:287A7666FE9DE62906A17853AF367E9C280EE047
                                                                                                                                                                                                                                        SHA-256:81242FBCCD00F783E4CB57D7A77720E0D361609B9E3443F1F4FBD53549180CF5
                                                                                                                                                                                                                                        SHA-512:7582EE39AF42C9C8355B4A66C299A6F51061C5ADE5CBFA2A0DA07D8D3898E30A227CFAFA976630D8EDE2638F48E63E2D8A4150E9CB4C6CCD94315094EAA62B7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.160884096361585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqk:2BFd3/aFs2x
                                                                                                                                                                                                                                        MD5:7B46A38CB34CF7129A501D114EED91A7
                                                                                                                                                                                                                                        SHA1:FE284056CDF1079D4AA46EFA0EEA09DC158671D8
                                                                                                                                                                                                                                        SHA-256:0AEDF8E33279A9A9F026EF5000919A1BA38F105B0C3CEE7F6AC3628E1CE441EC
                                                                                                                                                                                                                                        SHA-512:B16BE5B7DFAE0AE5455976B0353D7368FBB080BA4DC85CA4FD56FA01C64DE5E7572196A16992C259C1442EA2D30F212E8D08F7D8F258ADACFBF9D3014CFC2394
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.510686089319165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76k:gWw0SUUKBM8aOUiiGw7qa9tK/Yb/
                                                                                                                                                                                                                                        MD5:0AFC00C0FABFB019074DA907FE70317A
                                                                                                                                                                                                                                        SHA1:B6F8FA76424F44B0EA2FB54A17C84628CDB9B22C
                                                                                                                                                                                                                                        SHA-256:75D8D4D4C7FDCDABC5FBFF18935783A23E0951897B9990339C1B2ECA82F90BAE
                                                                                                                                                                                                                                        SHA-512:43563466B6A356B70717CA53C71D33165B646CA3C6E5771BEFBD08DBA611E791690A0BCEF6F9B3F773265C5C0177BF723046D05C7B18999D0F59C6797D55B8E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................B.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673799804528098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/h06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB1evuWj:/y9gpEpYi60A8
                                                                                                                                                                                                                                        MD5:3699832767ACE8B12E18E10C5ED33469
                                                                                                                                                                                                                                        SHA1:1500E3F31786CB63AB2D5FCD71542D24829B9C6A
                                                                                                                                                                                                                                        SHA-256:FA9B02A2EDB45564D38EAEC7C85AAE9B2B6D6A04BA32FEAA771C0812DC85EE79
                                                                                                                                                                                                                                        SHA-512:2FC97EC4F1FA5486C98FBFF3612BE4AA43D774BC5CD961AB7036F3AB067E4771DEA73FDA22B191B65B3362196FC958FBF1279B2BC4A5D4C1346335D30A5BC333
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19496
                                                                                                                                                                                                                                        Entropy (8bit):6.524234329265897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFZJr:LWs6oqDjADKeDa5EpYi609r
                                                                                                                                                                                                                                        MD5:84E608824D1DE2D0CC7B3C7072F86CAE
                                                                                                                                                                                                                                        SHA1:57A2B02945E478CBC0EA3DBC7CF4041762718EB1
                                                                                                                                                                                                                                        SHA-256:D2163CA69AA96A2DD6277CDF6BB1990758C677EF7259255995E448F18E1ACA99
                                                                                                                                                                                                                                        SHA-512:09E53F0546218D07C79E8436504097176910A909DD39814A062F19522B33334754F8BAC9F2BB03AC785B9E2463F3E24C12376A601642BC83BCE26D285AE19738
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...................................@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41512
                                                                                                                                                                                                                                        Entropy (8bit):6.409217717758582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ljfAw5tisN7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjxFUNyb8E9VF6IYijW:lksN74GX7nwOa5VS2ozdxFUEpYi60SXr
                                                                                                                                                                                                                                        MD5:5E0E85A164AA504598B5121AE6B33F4F
                                                                                                                                                                                                                                        SHA1:C2372406F7131D72376CA55B28788049A6FE8EB6
                                                                                                                                                                                                                                        SHA-256:DE2BE1CFE0E784D1FA5FAAF35C6671EA8FE50DC261562570415374DC75D77FB7
                                                                                                                                                                                                                                        SHA-512:3B19E86CCDAEB4F5F4ABDF32EAC26708C2B01C6D6DBABCE318E31C0E882C086DB6E76730DE4853302D768E2F4FBB0457347BA4D5642EBB512F14A4563D9B7AF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..n..........r.... ........@.. ...............................@....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):78888
                                                                                                                                                                                                                                        Entropy (8bit):6.0692535230722235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r7gzIBxkogIFNU1vTGGsUTcvMOkrIB76hB:rRBxnP25sUTcvwrIBk
                                                                                                                                                                                                                                        MD5:A9F0A629B9676577360E342A81A995AC
                                                                                                                                                                                                                                        SHA1:1877BB7196654D65EB536CF5785F9EA45C92C2CD
                                                                                                                                                                                                                                        SHA-256:01E666A5B281C046830567860D3BBB7BF7FA57A991937BAE0F0F229ABCE0CDAF
                                                                                                                                                                                                                                        SHA-512:34FF88D512AA26332F3497173217E2070F245E132C9ED66EE07F97CBCA0CB3BB133831E2B12AE8472240175BF0C60DCD4A30B83864AEDF505C1D7CEFEDAC16CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3./..........." ..0.............>!... ...@....... ..............................VC....`.................................. ..O....@..................((...`......4 ..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X..h............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59944
                                                                                                                                                                                                                                        Entropy (8bit):6.132505617622881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:56O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60B:56O4JuxnT+UuLMcBClyrvGGa76w
                                                                                                                                                                                                                                        MD5:80D52CC0CA6E0A24C65C0EC6E1D04245
                                                                                                                                                                                                                                        SHA1:1A364154797C2F233111CA4E431CD5F169BCC5C6
                                                                                                                                                                                                                                        SHA-256:A6CD8C4F007327C2B3E5E9772C086139FE7C0208BB17FDFC63B78FC7C639DF77
                                                                                                                                                                                                                                        SHA-512:16E0E7013DA0059137C4CF0436694EBEB98377F1870E976A108DD22F37B6C73033C38722103DBD97F0AC12DA99E31D51B7114B9F7E70FA56F11A1F29B6EC40A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... .......s....`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23080
                                                                                                                                                                                                                                        Entropy (8bit):6.500983361117223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ALOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyNllq:AnMTR0Pa25EpYi60tlq
                                                                                                                                                                                                                                        MD5:677BF5CBCE3B4A8E2B35714DB3EC89D4
                                                                                                                                                                                                                                        SHA1:6317DA7E6DC45CDCE30BCC1AE8FA9DF391B954BB
                                                                                                                                                                                                                                        SHA-256:E10B0E751A752F746305959D765E649BD49B73670BECE4DA5C9ACA549B2E8A08
                                                                                                                                                                                                                                        SHA-512:A80A740E0F314F8A44B6698BDD0465C511140796BEE87990695C61F88A45C5A4290B141D1606447D539E7F18784972AC787B73679AE68A79E46C056FA0C78FBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...............................S....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817640
                                                                                                                                                                                                                                        Entropy (8bit):6.551345291101956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:B9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP4:B9Nzm31PMo4
                                                                                                                                                                                                                                        MD5:1CDFFBCDDE48DD0DF288177F4A36E201
                                                                                                                                                                                                                                        SHA1:70F1740086944DC3551401C54834746BC88B4FB3
                                                                                                                                                                                                                                        SHA-256:FBC738BCA1208ECB4FE086F0C100B746644375BC838CF925DE0AADCB9A0DAEEE
                                                                                                                                                                                                                                        SHA-512:D3903FA3A98F8DDD34C39C9A091285E343AB8FD961EEF130926E2B4E165398263D45D7127DB6E6450560F3CB91A239A39DACB4B8DB2787762E17666DB7AF1B2D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." .................................................................P....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436200
                                                                                                                                                                                                                                        Entropy (8bit):6.781311333719278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Ls5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsZ:WlI+vIjE7mjOuKa8Riy+gvhaIn2+0+
                                                                                                                                                                                                                                        MD5:F31A6B9883F1835F9FB5CB9FB3B877E4
                                                                                                                                                                                                                                        SHA1:2C1DCF590151D9EEE2E34C78C9A9D6AE1517C3C1
                                                                                                                                                                                                                                        SHA-256:B06ABD1357A5D0111C380520A29E93D648632F240090756C61FE9BE9B518B02D
                                                                                                                                                                                                                                        SHA-512:171F9DC37C29508AF911764530286B2AA19731820F0C39B34F063B0E4C4EF16B501763BD32BA2C126CCEF88F89E3140D26A73B67C54AF1036E14049D95CC94F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):584433
                                                                                                                                                                                                                                        Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                        MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                        SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                        SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                        SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                        MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                        SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                        SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                        MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                        SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                        SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                        SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                        MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                        SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                        SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                        SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186408
                                                                                                                                                                                                                                        Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                        MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                        SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                        SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                        SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                        MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                        SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                        SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                        SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                        MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                        SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                        SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                        SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55848
                                                                                                                                                                                                                                        Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                        MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                        SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                        SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                        SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):247
                                                                                                                                                                                                                                        Entropy (8bit):5.159333018861677
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:A0bXJIHKFKui9wqWluiKFHnFSLRg42VVdii4ATTVId44MNWKlX7SfHXo2D2GWSXj:ACGq89w3pKFSQlid4rNWKNI1DpBFDX
                                                                                                                                                                                                                                        MD5:82D90F808A5A36911C5D641BDF486B07
                                                                                                                                                                                                                                        SHA1:9F78005FF8BA208590A2DF6EA4F6A480BA20EFFD
                                                                                                                                                                                                                                        SHA-256:069F755F01AAC969A8C88391DDB81FAE21E005613905327FB123E7F9A0D6FA90
                                                                                                                                                                                                                                        SHA-512:BBE77A1346F8B98DDA0BAB68CDF7C8087B75173CC5653A14DFDA9A8BABD49D55081F1FBBC2BB640DD7C1D6E5202BAFA3EE1B57BBB9DD4C56BACBCF9554F1DBD5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=ibarra3168@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000ODucuIAD /AgentId=5ea19671-d970-4e60-89b1-722649f3b810.03/12/2024 12:17:04 Trace Starting..03/12/2024 12:17:49 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.299846687089982
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsI5xZU/xkwwQrcnIVaSQ1/rdUgMHDxZfkFgbPU+Sok8Tufrsf3J2MzqRI+OS:RbTpx2Ooz8rOgMHDrfYgoR8Tuj25rmR9
                                                                                                                                                                                                                                        MD5:4B5A03558C6CAFD059E1E6F2708AE8DF
                                                                                                                                                                                                                                        SHA1:2DCCC7C54719BF2C5F78C96BDC995DA05766E8B7
                                                                                                                                                                                                                                        SHA-256:CC0B12EB41A709628D03942102CCC461A4CAF3E4207A0563ACF902186281F58B
                                                                                                                                                                                                                                        SHA-512:7F8CC5E92E25393DC73BCF5F2AECB754FA2989C18EA2108A7EE14ADB75BBA63F6C1E75F83A6B426D4D63C2F22487B80A4FC82B8FDDFFDCCE73D4C504D05B3E41
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6ImFlZDVhNTI3LTFkZTAtNGU5Ny1hZDBiLTk0ODc1NGQxOWZkNyIsIkNyZWF0ZWQiOiIyMDI0LTEyLTAzVDEyOjE4OjM3Ljg4NjMwODctMDU6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):247
                                                                                                                                                                                                                                        Entropy (8bit):5.159333018861677
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:A0bXJIHKFKui9wqWluiKFHnFSLRg42VVdii4ATTVId44MNWKlX7SfHXo2D2GWSXj:ACGq89w3pKFSQlid4rNWKNI1DpBFDX
                                                                                                                                                                                                                                        MD5:82D90F808A5A36911C5D641BDF486B07
                                                                                                                                                                                                                                        SHA1:9F78005FF8BA208590A2DF6EA4F6A480BA20EFFD
                                                                                                                                                                                                                                        SHA-256:069F755F01AAC969A8C88391DDB81FAE21E005613905327FB123E7F9A0D6FA90
                                                                                                                                                                                                                                        SHA-512:BBE77A1346F8B98DDA0BAB68CDF7C8087B75173CC5653A14DFDA9A8BABD49D55081F1FBBC2BB640DD7C1D6E5202BAFA3EE1B57BBB9DD4C56BACBCF9554F1DBD5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=ibarra3168@gmail.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000ODucuIAD /AgentId=5ea19671-d970-4e60-89b1-722649f3b810.03/12/2024 12:17:04 Trace Starting..03/12/2024 12:17:49 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\6640c2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878654579666831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:C+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:C+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:CA95E99D14A8DDFDF12406DD3D884888
                                                                                                                                                                                                                                        SHA1:A66E770830656FE38A6FDDD566D4E35C02E07CA1
                                                                                                                                                                                                                                        SHA-256:C3F805710D62FD6F1F1258A4C6C64CA0A5F69B3C650F3714A02CC691B7FFBA30
                                                                                                                                                                                                                                        SHA-512:18B7214EB14318AC143A1BFABE881E19FE35F4244E10C3B4B0AD1A774F692FA5202DE171729605AA3EA0DF3D48ADD67955DB4AB11009834486B15180F31CB4A3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\6640c4.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878654579666831
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:C+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:C+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:CA95E99D14A8DDFDF12406DD3D884888
                                                                                                                                                                                                                                        SHA1:A66E770830656FE38A6FDDD566D4E35C02E07CA1
                                                                                                                                                                                                                                        SHA-256:C3F805710D62FD6F1F1258A4C6C64CA0A5F69B3C650F3714A02CC691B7FFBA30
                                                                                                                                                                                                                                        SHA-512:18B7214EB14318AC143A1BFABE881E19FE35F4244E10C3B4B0AD1A774F692FA5202DE171729605AA3EA0DF3D48ADD67955DB4AB11009834486B15180F31CB4A3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\6640c5.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\6640d1.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2494.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.6478200257140685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Ct3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Ksh:KzOE2Z34K+zOE2Z34Kc
                                                                                                                                                                                                                                        MD5:8303883A275E6D457AE8677DCE791F5D
                                                                                                                                                                                                                                        SHA1:7B2DFBBA10C6D3BE1C1A4898E222302DC3369240
                                                                                                                                                                                                                                        SHA-256:3D3E45E439CF59009BBE877DB159C24B27EF8C6982E349A75E50DC3B9A3217D6
                                                                                                                                                                                                                                        SHA-512:82E874E8EABA912681513675A9978402EE45045EA70D966FC8746DF91908BCE660DA6390BB34A27F49F4D80EA60027A013292E1C7BEE39C1A54EB6518AE74CA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2494.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.S.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI24A5.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI25CF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI268B.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI2C97.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI31D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI466F.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI466F.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI49FA.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI49FA.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI61D8.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI61D8.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6564.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437330
                                                                                                                                                                                                                                        Entropy (8bit):6.648109872199414
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:lt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsH:rzOE2Z34KGzOE2Z34Ki
                                                                                                                                                                                                                                        MD5:D14BD96EEB402701424D05B295EB47F3
                                                                                                                                                                                                                                        SHA1:C4928A77EF8E3F2B54A2EA03B32CEAA36058899A
                                                                                                                                                                                                                                        SHA-256:5CA1DF234FA412F99E79EE76E22FD7F7F5FAF21A98839C9D913BD1B92E3EC7F1
                                                                                                                                                                                                                                        SHA-512:471E6AA5D02251E4BC52E40026584E6FA3A5AE3496232987D7E3C8A1F56BD71ABA79B4DB95D446A0503500534644EBA1122CAEA5B40E2B212A6906538693F94F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6564.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@mS.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Infraccion-Multa.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[.............

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI65A3.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI68F0.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI69FA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI8CE5.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8CE5.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA61.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435972
                                                                                                                                                                                                                                        Entropy (8bit):6.651463800319369
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:JzOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:17E234FF7726770E70A0F5C448F0EF75
                                                                                                                                                                                                                                        SHA1:8AA3597AB4528DA25670484749C2CE6A041E77D9
                                                                                                                                                                                                                                        SHA-256:58176249A825ED8FFF78CC2D2927F01DDADDC2CFD0BB57B1069938C1F9608182
                                                                                                                                                                                                                                        SHA-512:2D2C1FCC893275E960A7FEE1B4CF0B0E4D183C7782A560AC67729403D3574E415F9CD791164D465189037E00E613E66E950933F9ACD7AA9F8E6CC5174942DEBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA61.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.S.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Infraccion-Multa.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@..............

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA72.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID32.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID81.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF30D.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF30D.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF699.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.172417757755139
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72FjgClAGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i5:JCClQI5wBTr/F
                                                                                                                                                                                                                                        MD5:2B5A9A6423309D7B18549BB0BE7E361D
                                                                                                                                                                                                                                        SHA1:00CF69DE6F0DAC7C909F3C16440C8BAA7A6779F6
                                                                                                                                                                                                                                        SHA-256:1187AF378E3B5A31F6267CD4CE34B8E16C06F8A052B3D82F7F41E2281DF3F0FC
                                                                                                                                                                                                                                        SHA-512:239559CBF6E4696DC7B2B2DD7F33DA162A62F2E082D12398ADB41C77F0CF1C0243188E33E91945F99A4DE04F3C3B84196D32285BB355D7302E9F73312AD8F646
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1665838783562412
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj8lAGiLIlHVRp3h/7777777777777777777777777vDHFS60sNY1l0i8Q:JgQI5zQ3X8F
                                                                                                                                                                                                                                        MD5:28DED0CF37A09F22491A91055E12982B
                                                                                                                                                                                                                                        SHA1:293415620B3CCEA904B080B7238114B50D89F52D
                                                                                                                                                                                                                                        SHA-256:8A16A5EBF64B0392AE24278B8E83ECCE0B2561392F43E42812D42A248A2B06A4
                                                                                                                                                                                                                                        SHA-512:8C9BA46B550830E3D384A08B560823832EDAD981BA181F7591DE1BA13DBCDA9F020E9CF24A0D00856E1D2E0CB076994596DC7DAA035872EC0935CAA5BF63A925
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6187421031557387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:a8PhPuRc06WXJEjT5xDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:lhP1HjTvDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:0382CF088DAD32C65E47DCE043A64290
                                                                                                                                                                                                                                        SHA1:FAAE3FCF0CF9B959CA36E40AF9F86FE55A97FB18
                                                                                                                                                                                                                                        SHA-256:AC487AA7D12D9402F78DEE7E49E4043B00DC117EDA74339831B2344CD03A30BB
                                                                                                                                                                                                                                        SHA-512:F04F4B1B670F1B344BB3E5FBA541C8EF05AA21E69F93DE7F3EBE475D6AC6512F96089AD7B3A999CB2FD07E0C3744A5AD8DC32CD54563FA02477462AD974B44EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):360001
                                                                                                                                                                                                                                        Entropy (8bit):5.362967893801601
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauG:zTtbmkExhMJCIpEf
                                                                                                                                                                                                                                        MD5:8655353F78AD4FE828FC235D855A924E
                                                                                                                                                                                                                                        SHA1:52C73B71BCC90F347D3217650B91A036B2E5622E
                                                                                                                                                                                                                                        SHA-256:B6EEF6B2F54C96E265A8B6DCF14DF064E7B3014AA5984E9778A3A4C68974181C
                                                                                                                                                                                                                                        SHA-512:302740E53FF9362F6623AC0AC63A6E9A62EBBACF49FF645C86EB1E719437877746317C3ACE5FC2F51BFE8E483D29D88AC6C4B1B714B4F4D3E5CD3430212FBAE5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.148766108125185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JyYOHVBI5GLsHHVB5NKXjMpMq7SI0tYt3:JROHVOILsnVLHr7b3
                                                                                                                                                                                                                                        MD5:B422DA6009B649F280C67169B7C724D9
                                                                                                                                                                                                                                        SHA1:2C9B387791245DF9085CF1F7C1EFE52280A47AE2
                                                                                                                                                                                                                                        SHA-256:7124869DFB944B74C27271D296DF32B6680AB3344FB80ED92803D49290B8188A
                                                                                                                                                                                                                                        SHA-512:7EEB1DCEF11723E2782ADD3A6BAA890AF27CE8D937077B49255BB7A0C3BD677AF17D5D7575B654B056AF07A0F6F803DAEFD22A5016EE1027B2835978199F9788
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241202190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241202190516Z....20241209190516Z0...*.H...............0..,.,(.n..s..5..7q.JC......?N.....fG{.2g|....<8.I....A..R.F..?.<+.....~@..{5&^....W.(.Q....@+......~..HW...u....v.....^..~..1.....9.8iXBlZ'<[......U%. {..[.=.b0..D....q(.@j....f...[75aH.............".}...r..s.T.....k7..+......:.jv.9

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.548109412210474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq904c5h44TUq/U+jyFumVBkBFC+GXldpaNjQVq8TyMM4BaV5QWXCxlca2kX:5B7oq/Vj0VBOFJGVdpakq8TyMMHbXKKA
                                                                                                                                                                                                                                        MD5:E5ADD7CF21CBA7FE68F9BA9CD080050A
                                                                                                                                                                                                                                        SHA1:C5FD91EB2FEE889C3D68AC775FAA14D31E691E41
                                                                                                                                                                                                                                        SHA-256:917F02C82F5A189105352C69F356F3B55C8F7815E5F85B5FB694B013A5373493
                                                                                                                                                                                                                                        SHA-512:AF74FE944D9063801EF7C05486B86F4FC1A7D8897ABAA48A9C2E3A15874522CAE914DD795E97E81F4047487FB7774BB978E28ED58122B84FBE67EF2C01CA3060
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241202213713Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241202212101Z....20241209202101Z0...*.H.............e[X.G2..,.y ..>.q\0.*.-.Lo.F...".T.t......4...2.1&.0.GSKk....;FF.>.sT. .^....XKS......E&=......7.m...3.f.....IT..r..l.AQ.......z.......c*...Qc3...bbx$l.HZ..T......O.j...j.. ~8.j..bpg./...MS...i......W[HU.G.#...{.vdB..#.ht..Xi....T@._^..0.Ii.Q9....... xf......Mo.......<..]..A@...q.d.;N....`..2...i.?.....c....l.].B-\..>.kV....;..a`.........(..9._.b+2..@...".m..J.P..$._.O.pB.t.@.4....E)...Q...l...A.i....{.3XL... .`.........A.P....:.....`.|.+8.R..../...W..L.m.U.....}1....h..6'.t.c1S.Q

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):737
                                                                                                                                                                                                                                        Entropy (8bit):7.5459160905057585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:yeRLaWQMnFQlRAzXccFfBCoQuLfvfVL2gEcDYxrowZtrylQ9i0R4Zpiny3WFD4iv:y2GWnSWXPtgoQSfvfVSbcDYxMmuK9isl
                                                                                                                                                                                                                                        MD5:2F6BE0043B79E06B658DC11589BE0C06
                                                                                                                                                                                                                                        SHA1:B7B59F21920233135B77660BBAF2A0907D81F9D8
                                                                                                                                                                                                                                        SHA-256:E2A161A0E380794173600B0DD45020C84A805B085EF685579D8C21B90CFBA8FC
                                                                                                                                                                                                                                        SHA-512:7B6E78E8C9A85BE771ED1743C42094BF01F0CEFF27FC341074886675D288EA7D7B74840365FDCDA3C7349D141E8C504E460645B49CB9288C6673F5E1F527E763
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..241126210859Z..241217210859Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H................n..D.0..G;...=.,.*_.e.3.;...R..A.Y.ol.c.BT...1.c..>.....x."..LRT:..m.0...\.|....o.....U.h&..Qn6.....c.R>mkO........yv.4..N...I.W...C.VR..G..6P.V..Sg.I[h...p..".!..|Q.$G.I&7|....g....oJ.f.S.&..R.~Ihj".*..v*............i.oR..w.6/U..DC.a_......O....u}.y;x{..Op.lmafL@S.wVe#-n.?..?$..0..u..f.M`R..6.....MA...%o... .JA.9......V.fb.cw...W.|..b......."/r......nn.U.F.ox.@L...I=fo\...3..\..\XFU.......9.....a....1.z..'.....%...M.8...g..:-.G...^.G`y.fUc.b...9.....X.^.....^..).o5:4.C....!`.~8......<

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.584626399599317
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZ4c5RlRtBfQa4s72CnIPCavVggRisIoeHZXfj8EsTG+oTptSrxt:5iucdZl4adIJvVesIrJglZo3SP
                                                                                                                                                                                                                                        MD5:1DC1121E24814AB2E9102C631F6368E5
                                                                                                                                                                                                                                        SHA1:55F7935319102E893D0DF7BA28C35343456300EE
                                                                                                                                                                                                                                        SHA-256:8ED09687565336351EF88085DCF6CFC841AF12A63433ECC12C2F13A9557C3C59
                                                                                                                                                                                                                                        SHA-512:132158F8F2BDF5D66CD4F3FED37405027D4233C79A365027E5D8D0EA20C5D23805BD298358DF371B625486282867BA93A3FF5945DDDF3AE8D91DD2630E477DF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241202184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241202184215Z....20241209184215Z0...*.H................!A..%.I....X...;..J.......I..4../.i.......q.......(...E.9.."RDX..,J.o..`....]...z%..5_!.^b.p...v.......A..,.8.aU................m..._).y?.......pN.J_..........$.Es8...?...\.6...Z&........X^.....JeURs..V..}...*<......|....o.a.*~W+M!..IJ.M.2..:sD=.Y-.{.HK....N..Vp.......N,.b9'..].|....-.....).j........Q....GO'.;`..r....V..v..g.Ym.{...'.E.kze.lu..w._? ..N..F>.2.~...(...]...y.....Q....RwT....Y..!......[T..-.-...r...F..R...p......z.8.l....<K$...i.NN.LJ..L.}...K.1...B..m+yT8E..D.e...d.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                        Entropy (8bit):3.4738726491832708
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKDhn8M/aJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:LhnZBkPlE99SCQl2DUevat
                                                                                                                                                                                                                                        MD5:756A956BB60C3E210D972AD0C5B01256
                                                                                                                                                                                                                                        SHA1:05D14CC8849DBC654BC238A7D88CD34E0A8E2126
                                                                                                                                                                                                                                        SHA-256:E19C7C5259D04C9612FF4EDE31F90A54C559DAEB20D262EDB69A598AA7B66732
                                                                                                                                                                                                                                        SHA-512:137A0AD420C88AC081077DCDAB2620B329EDF425A68CE496ED901C49098F6E5D533BC87BA23B342D9CC2744965E1BEF7C8821CDE42F2017F7919196F4105C28E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .........#...E..(..................................................J-F.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.917237514770517
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKd0DIAHXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:FqhmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:95B06129D05EDABBAFC2733B22C2CB0C
                                                                                                                                                                                                                                        SHA1:5836631DA7F471C22843D771A1E826EE4BD972FA
                                                                                                                                                                                                                                        SHA-256:ED6E84975433D24E64EA98C1A25BC1CB968AAAED51927E87E3C0B10EEDC7B75B
                                                                                                                                                                                                                                        SHA-512:51925627FDD7AC55000B8B9B531A0C6CC94B87926C16F6AA00D07B3F08827DAC625033273947B34C0C6E5C02EB7F999AA872530EB505FE90203388033F0E5A5B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .........<n.E..(................>C..D...~'HmJ...................~'HmJ.. ........[wM.E.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                                                        Entropy (8bit):3.2478978672539016
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKks9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:sPDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                        MD5:F342FF6E76052C6E1194DE855A12F075
                                                                                                                                                                                                                                        SHA1:2B6300E77527C86019D1C209902143947617DD88
                                                                                                                                                                                                                                        SHA-256:37BA69426844AB4EE553DE9B8388C228C68911B4E0543F2D0C94AE1009B09A4F
                                                                                                                                                                                                                                        SHA-512:3DAE7F4376FD2BE6FBF79167F741A16636939E72B7E7A7BFAC8C9CE6FDDDE18332B68AA9B8151B689B719B2BCA134E5A6EDF8667806E06772D74E8279C19253B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........[g(.E..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.915994621445248
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3CvzRxswjfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikK2:qzRaamxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:3AC23FBBBE264020C80CA131F4B1C435
                                                                                                                                                                                                                                        SHA1:4ACBAC646ABCF1294C91386529278CAC8A82FDE0
                                                                                                                                                                                                                                        SHA-256:E83FF4698B96C492B1A31E7509FBF0FFA0DE8A524DED379B6FDB00E93F756EEF
                                                                                                                                                                                                                                        SHA-512:C16E2334119963CE7B6DEB4B09A4DF7F76B7653662DF02C483F43B3150F47E52A440A7EEDE37652FDB5DBDD1CBCDC0299A19E365A680E75C174BF3959D5CE013
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ...UAI..E..(....................E...t/.wJ...................t/.wJ.. .........@.E.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):248
                                                                                                                                                                                                                                        Entropy (8bit):3.038034917176809
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:kkFklfgpvfllXlE/x+JlrtINRR8WXdA31y+NW0y1YbXKw+l1M7GlRJRq3AWlll:kK/pm+JliFAUSW0PTKDXM6lE3J
                                                                                                                                                                                                                                        MD5:2135C767DF3B61B4B611FA72DFF6B557
                                                                                                                                                                                                                                        SHA1:0B8F5EDF909A15BA4BBF3F10F82135D4EC0BEA62
                                                                                                                                                                                                                                        SHA-256:DC9F959102D9EF3648D8825A01D2A540FB7F3371D3D38B19A514AC0617F6558A
                                                                                                                                                                                                                                        SHA-512:7C4A60E2A9A03E0BDFBCB5819B850D3F9BE64B6D0114BCDD65540C780727C12A6F3D11E8FD881C4CC50FEA66DFF5D70AAD63832E55890E397863923AF80D8CBB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....f...C{c..E..(....................................................... ...........P@.. ...................h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.l...".6.7.4.6.4.8.6.d.-.2.e.1."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.2001574277595393
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKlgLnzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:SLStWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:7C3ACA0FBADF64EB85E244076070CE3A
                                                                                                                                                                                                                                        SHA1:BF760CE3CF44AA43A1EDE86514C897046B1E85D4
                                                                                                                                                                                                                                        SHA-256:738E8760A2C094A1DAD93DA73F22B1E57874C0C6C40BF31991F86F7AFAC10B09
                                                                                                                                                                                                                                        SHA-512:2CD3139B20094233836BB2A36ADB3188778C8CDF5EFFB54AA7D5458D3B0374B866991B638996EB1F24A9D584D57AE14B0FA0331F7320DD55B21CB7274D3DC39E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .........E.:.E..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):3.9677402374738473
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKLY4m0r1EfEkfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:kEuBmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:CB16B7A9C443B590A8E5D0F62B9A3BEC
                                                                                                                                                                                                                                        SHA1:6CCE68C7CE10E96CF2D40092E9060B8C1458566E
                                                                                                                                                                                                                                        SHA-256:DFA30EBED5AC5CA6DE6CDEFE96B966809C4145614AD9FE0A7C74FA61528908EC
                                                                                                                                                                                                                                        SHA-512:C406DF839412CE234AF68EBE197CCFFC94388AD546DD1877D4AEFFDF4060D0A4290C1894405BAFF42B8535665E4E4CEFB30F601B0C117599478DA9E7C61A6A73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(...bH...E..(................]...D......jJ......................jJ.. ..........E.E.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.06077288271926
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK/LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:XLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:A5D512FB64C99751AA535712C8B950EE
                                                                                                                                                                                                                                        SHA1:E38CDBA14789E73494E991138D95BFA11ED52DB9
                                                                                                                                                                                                                                        SHA-256:1E2DF74E616B635AD50702EFAF3933B0BCC239E25D548D65977116C28CC1B873
                                                                                                                                                                                                                                        SHA-512:3C32A84842ADA681D90A2F004AD1CA519131D2BD160E1E97D680BB77F8B3836CEE6FBC37E1CE33B8C25D2E0D1F1296F74FEA2913231F09D76B3A6F50F761B9DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l....z.b.E..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.381647656863045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHeHK/:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4f+m
                                                                                                                                                                                                                                        MD5:52CDAA83C48EDB391B9D77AE080A7F05
                                                                                                                                                                                                                                        SHA1:BC3E421F10517820F55349F0C636CE6F5AC43D25
                                                                                                                                                                                                                                        SHA-256:CC4BC1EB52CD4548732E5120182DE3E3B7F5D9191BAF7B0D40DF17D30D0C0D5C
                                                                                                                                                                                                                                        SHA-512:FDFA5A33A156B89D4772A5A503ECD01B5780CD88B2286FDD0DFA47477A7EF58C5F5720CA591A7F27014AB5ED7A6CE3CDA0E71CD329332498F207AC4439626813
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):227614
                                                                                                                                                                                                                                        Entropy (8bit):3.78607664951909
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:aSBeJhfaK57GPexTYadLv3dKGrpDrjsxY7Zs8vBZhb5quDyKkvhXysV18DA7wd0y:aS2AajEWJLJLkjyzOwTuyQ9Ile7D6T
                                                                                                                                                                                                                                        MD5:6ED93474078216C5CEA21702ED30B540
                                                                                                                                                                                                                                        SHA1:34CE5B853F73B410D7137CE9BE985DC607560038
                                                                                                                                                                                                                                        SHA-256:97D8B77A1C8D9C80FC6FC53205191A225C6D2BC3B3660F35E71AE61B693817B0
                                                                                                                                                                                                                                        SHA-512:6F1FCE243CACD24BCFA9DDBD6892718D57B4ED59ED948962EF8649CB5258D032AC17253E096419ADEBABF7B9DC0E2F1620AD0F99E23668746C3D6C4197485A6F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.3./.1.2./.2.0.2.4. . .1.2.:.1.8.:.3.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.7.8.:.A.C.). .[.1.2.:.1.8.:.3.6.:.9.6.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.7.8.:.A.C.). .[.1.2.:.1.8.:.3.6.:.9.6.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.7.8.:.A.C.). .[.1.2.:.1.8.:.3.6.:.9.6.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.7.8.:.A.C.). .[.1.2.:.1.8.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):40134198
                                                                                                                                                                                                                                        Entropy (8bit):7.941516484405911
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:786432:6x6nOlttpvhus+cERcrYSjOAYU41gWJDJn051AOnsC/C6VMIMuY:xnOdpvYs+cvrrjOAYfDJnEAOns5wY
                                                                                                                                                                                                                                        MD5:0FF25E4A4A41EDC659E8AAC2BF67C82C
                                                                                                                                                                                                                                        SHA1:1FA0DA4A1D4DAADAFB4CCBF0482CC740A27878D9
                                                                                                                                                                                                                                        SHA-256:4F42E7B545BC6C6A732072639E49ECA8E0BA72360993B1869CF55E9FD6373133
                                                                                                                                                                                                                                        SHA-512:C08CAEBCA54659AECCBF34CA96208FE8B389C3CD5C36A25639966D000BE9E91CA3BA05F9237CBBDEFADBCABE8A911C51D28F44FC14D6DCA85EE22A3DEA41839F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF07AECB9F4C2879FE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF0BD6765B203B669B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229769669755733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:xVUuKJveFXJfT5dDZqISoedGPdGT1aStedGPdGTn:/U4HTbDkIND
                                                                                                                                                                                                                                        MD5:013F0D9127380AC9ED450CF255CEF88C
                                                                                                                                                                                                                                        SHA1:8693279DD3D09BCC3DC9023BF6CE8992803C20E9
                                                                                                                                                                                                                                        SHA-256:5681F5E93329CBD96708763F035811DC2AB829B78DA15D610A3E2003884AA11E
                                                                                                                                                                                                                                        SHA-512:A2007E17F52EF9506F324059DE577C17F35AF07665E88853CA286A5A32F80AF91F88696A5B8C951D9DB95441843DBC10E011AAE032CA5B4FCF11DC1DC17A2E3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0BD6765B203B669B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0BD6765B203B669B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0BD6765B203B669B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF12942E104C552334.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF14FB2729DD387555.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF23658052980948C6.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF27A3E6EAEB30AC32.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF30A278409BEACFF0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF330B201BF0755807.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9999484770533895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eMMXukJveFXJfT5pHDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:uXaHTnHDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:9F6C1A48AD27E39C13B2517F90012F1D
                                                                                                                                                                                                                                        SHA1:1636DB1195562A3DF2D86564F67BDDFCE72EAB44
                                                                                                                                                                                                                                        SHA-256:1F53C4EE18B8EB8E2923773CAEA4321DBD4B59508025E9809A42B8B08853A391
                                                                                                                                                                                                                                        SHA-512:BEDBB4057C0116E63B1F2D16D3E54A9E0392891741E96589DAA09C480569A9C7E7B716FCA0CB63C6DD491A94E8F1FB4C83814130AEE8BE18C6C24A81075E8E63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF330B201BF0755807.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3C9EDA7385DB5313.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255919286192415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4gFukUPveFXJFT5bgvVqISoedGPdGfMnr0StedGPdGRubkZn:hFTtT1CoIB4oYZ
                                                                                                                                                                                                                                        MD5:4682EDEBE7418C882A6E4F828B39C336
                                                                                                                                                                                                                                        SHA1:F3EF97F1E0D9CE0705C6954115C5E4CDE9395938
                                                                                                                                                                                                                                        SHA-256:4931021E962D279234489C50CC7A2B22651A29F4628879126A09FE21D9F4AF2F
                                                                                                                                                                                                                                        SHA-512:DC4866A866D7787AE5AC4686FB376C61AD22143CA829D3534FFEBD79B12D80D2E62C76020792FF16CC1BF4DE5459F9102659CFF3D8B418F77B569008E783ECE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3C9EDA7385DB5313.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF3FB73F5359DC325D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF45F41F117CAD3B03.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.13001003106671305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGAWTZkhZ+e+nD:CnAStedGPdGeqISoedGPdGT1eh
                                                                                                                                                                                                                                        MD5:BA354FEF7544B939BD63C59FAE43D195
                                                                                                                                                                                                                                        SHA1:8CEE5929C650E71A7AB79B091004EB167070D1F3
                                                                                                                                                                                                                                        SHA-256:EFF2B198CCD1A422496F837FAE6E12DD79AF760250892F25121A421E438FAA81
                                                                                                                                                                                                                                        SHA-512:DDA9012394D5EEB40139ECA37B3D868BF530F70D86B296F7E5F7C7625B14AB437694CCFE13F69B3ED24FC63408694AECDC1FEAF56E35DDDFF5243FABEA0E0AD3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF45F41F117CAD3B03.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF45F41F117CAD3B03.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4765DD586EC322CA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2207858946014327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:I8PhcuRc06WXJEjT5hDZqISoedGPdGT1aStedGPdGTn:Xhc1HjTfDkIND
                                                                                                                                                                                                                                        MD5:F008451798E4C7F4748DCB51875EEB4C
                                                                                                                                                                                                                                        SHA1:044716DBC3AB7FB3A530262CF97EEF7B72F1AC2D
                                                                                                                                                                                                                                        SHA-256:613CAE929C601E0FDD5E928C6ABFCB2734AD03A88147DEF883CC24BBB08EAF9B
                                                                                                                                                                                                                                        SHA-512:20B2822E0B772D444013BF118EA6E8A29EC7E0B31A68B74EB78DBA8E85F28D864E9A2B26BF487362436CD5F2CD0C4C681943F339BF49548FFCD3709083FD2B67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4765DD586EC322CA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4BC2DB7B878D0352.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9999484770533895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eMMXukJveFXJfT5pHDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:uXaHTnHDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:9F6C1A48AD27E39C13B2517F90012F1D
                                                                                                                                                                                                                                        SHA1:1636DB1195562A3DF2D86564F67BDDFCE72EAB44
                                                                                                                                                                                                                                        SHA-256:1F53C4EE18B8EB8E2923773CAEA4321DBD4B59508025E9809A42B8B08853A391
                                                                                                                                                                                                                                        SHA-512:BEDBB4057C0116E63B1F2D16D3E54A9E0392891741E96589DAA09C480569A9C7E7B716FCA0CB63C6DD491A94E8F1FB4C83814130AEE8BE18C6C24A81075E8E63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4BC2DB7B878D0352.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF528258350F0B1D00.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229769669755733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:xVUuKJveFXJfT5dDZqISoedGPdGT1aStedGPdGTn:/U4HTbDkIND
                                                                                                                                                                                                                                        MD5:013F0D9127380AC9ED450CF255CEF88C
                                                                                                                                                                                                                                        SHA1:8693279DD3D09BCC3DC9023BF6CE8992803C20E9
                                                                                                                                                                                                                                        SHA-256:5681F5E93329CBD96708763F035811DC2AB829B78DA15D610A3E2003884AA11E
                                                                                                                                                                                                                                        SHA-512:A2007E17F52EF9506F324059DE577C17F35AF07665E88853CA286A5A32F80AF91F88696A5B8C951D9DB95441843DBC10E011AAE032CA5B4FCF11DC1DC17A2E3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF528258350F0B1D00.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5917DBEA1D8240A7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5E7EB2916F860181.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.569650689881938
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:E8Ph9uRc06WXJAFT5bgvVqISoedGPdGfMnr0StedGPdGRubkZn:bh91DFT1CoIB4oYZ
                                                                                                                                                                                                                                        MD5:BEB7478D4F53378304945C4FC9A6D219
                                                                                                                                                                                                                                        SHA1:C4FEF76745478941D724D416AFAF6EDA6FDED49A
                                                                                                                                                                                                                                        SHA-256:E233BA5ECE1D916BCEB246BAC861A02C015A8365B7AA19A18483E0C06F5027AC
                                                                                                                                                                                                                                        SHA-512:1BAF3EDD2A1A44CADC2A0071F02921971D83C0BFE316A6D6A69A74D47DBE6DCBE6574266D614CE3FA6FF009332145FA48DA5F784333B98D1141898641F14327C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5E7EB2916F860181.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF68C8E67706703F3C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7BD736307C5033B0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6187421031557387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:a8PhPuRc06WXJEjT5xDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:lhP1HjTvDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:0382CF088DAD32C65E47DCE043A64290
                                                                                                                                                                                                                                        SHA1:FAAE3FCF0CF9B959CA36E40AF9F86FE55A97FB18
                                                                                                                                                                                                                                        SHA-256:AC487AA7D12D9402F78DEE7E49E4043B00DC117EDA74339831B2344CD03A30BB
                                                                                                                                                                                                                                        SHA-512:F04F4B1B670F1B344BB3E5FBA541C8EF05AA21E69F93DE7F3EBE475D6AC6512F96089AD7B3A999CB2FD07E0C3744A5AD8DC32CD54563FA02477462AD974B44EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7BD736307C5033B0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF84FB0B0A21BF328B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255919286192415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4gFukUPveFXJFT5bgvVqISoedGPdGfMnr0StedGPdGRubkZn:hFTtT1CoIB4oYZ
                                                                                                                                                                                                                                        MD5:4682EDEBE7418C882A6E4F828B39C336
                                                                                                                                                                                                                                        SHA1:F3EF97F1E0D9CE0705C6954115C5E4CDE9395938
                                                                                                                                                                                                                                        SHA-256:4931021E962D279234489C50CC7A2B22651A29F4628879126A09FE21D9F4AF2F
                                                                                                                                                                                                                                        SHA-512:DC4866A866D7787AE5AC4686FB376C61AD22143CA829D3534FFEBD79B12D80D2E62C76020792FF16CC1BF4DE5459F9102659CFF3D8B418F77B569008E783ECE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF84FB0B0A21BF328B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF88E8D9B67EDE88AC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8A7712CC4AE893DF.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6187421031557387
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:a8PhPuRc06WXJEjT5xDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:lhP1HjTvDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:0382CF088DAD32C65E47DCE043A64290
                                                                                                                                                                                                                                        SHA1:FAAE3FCF0CF9B959CA36E40AF9F86FE55A97FB18
                                                                                                                                                                                                                                        SHA-256:AC487AA7D12D9402F78DEE7E49E4043B00DC117EDA74339831B2344CD03A30BB
                                                                                                                                                                                                                                        SHA-512:F04F4B1B670F1B344BB3E5FBA541C8EF05AA21E69F93DE7F3EBE475D6AC6512F96089AD7B3A999CB2FD07E0C3744A5AD8DC32CD54563FA02477462AD974B44EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8A7712CC4AE893DF.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF904BDEEE192733B7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.229769669755733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:xVUuKJveFXJfT5dDZqISoedGPdGT1aStedGPdGTn:/U4HTbDkIND
                                                                                                                                                                                                                                        MD5:013F0D9127380AC9ED450CF255CEF88C
                                                                                                                                                                                                                                        SHA1:8693279DD3D09BCC3DC9023BF6CE8992803C20E9
                                                                                                                                                                                                                                        SHA-256:5681F5E93329CBD96708763F035811DC2AB829B78DA15D610A3E2003884AA11E
                                                                                                                                                                                                                                        SHA-512:A2007E17F52EF9506F324059DE577C17F35AF07665E88853CA286A5A32F80AF91F88696A5B8C951D9DB95441843DBC10E011AAE032CA5B4FCF11DC1DC17A2E3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF904BDEEE192733B7.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9DBD3FBDDA378897.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2207858946014327
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:I8PhcuRc06WXJEjT5hDZqISoedGPdGT1aStedGPdGTn:Xhc1HjTfDkIND
                                                                                                                                                                                                                                        MD5:F008451798E4C7F4748DCB51875EEB4C
                                                                                                                                                                                                                                        SHA1:044716DBC3AB7FB3A530262CF97EEF7B72F1AC2D
                                                                                                                                                                                                                                        SHA-256:613CAE929C601E0FDD5E928C6ABFCB2734AD03A88147DEF883CC24BBB08EAF9B
                                                                                                                                                                                                                                        SHA-512:20B2822E0B772D444013BF118EA6E8A29EC7E0B31A68B74EB78DBA8E85F28D864E9A2B26BF487362436CD5F2CD0C4C681943F339BF49548FFCD3709083FD2B67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9DBD3FBDDA378897.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB677AA5F8B39A7D5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB9B6304401B14D43.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.0736971496965151
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOS6NmJLuDd8stYVky6lYt/:2F0i8n0itFzDHFS60sNY1
                                                                                                                                                                                                                                        MD5:663B3AE1EA3E68543179F6013EF04D8D
                                                                                                                                                                                                                                        SHA1:A629DC55C62584BFBE393068EB9420F71A6735FC
                                                                                                                                                                                                                                        SHA-256:5B33028709D80AB339507F854166E2C4142F93A5610A3C4F4E4C7253B58E72B0
                                                                                                                                                                                                                                        SHA-512:1C6DA64D6F487EB1338DBA22F189B8A1240E353002D5853EAD96C2138B7FD3AE002D0A03ED6F0F278FF985D61491AA3B9CDEAA840583E2FE9670F7C10D8A4030
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFBC38BC838AF5DDC7.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC168934D7CAB4E4C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14483873041276563
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnjEubmStedGPdGeqISoedGPdGfMnr26g:ijNyLIBi6
                                                                                                                                                                                                                                        MD5:07E1277D27496291301C9DB956007681
                                                                                                                                                                                                                                        SHA1:AA192D0B9C6D1556E9C55DCBC1E37BA69B3D7565
                                                                                                                                                                                                                                        SHA-256:31FB94F6B130C38E1C78DCDC4E99E6DD14E13D4A68108D540FC07FD0A07FCB41
                                                                                                                                                                                                                                        SHA-512:D4E67A4CE5BEECF8A0247B2DDF3819A7100DF9821A46ED6401404CC6C7958E8AD1C0A45A24865C90BD897AC47F2B23E5BE6942D2BCBBE4E07A9FA9F09298C805
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC168934D7CAB4E4C.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFC2B7D2935C5DA4C8.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDA32A04F2E009779.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.569650689881938
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:E8Ph9uRc06WXJAFT5bgvVqISoedGPdGfMnr0StedGPdGRubkZn:bh91DFT1CoIB4oYZ
                                                                                                                                                                                                                                        MD5:BEB7478D4F53378304945C4FC9A6D219
                                                                                                                                                                                                                                        SHA1:C4FEF76745478941D724D416AFAF6EDA6FDED49A
                                                                                                                                                                                                                                        SHA-256:E233BA5ECE1D916BCEB246BAC861A02C015A8365B7AA19A18483E0C06F5027AC
                                                                                                                                                                                                                                        SHA-512:1BAF3EDD2A1A44CADC2A0071F02921971D83C0BFE316A6D6A69A74D47DBE6DCBE6574266D614CE3FA6FF009332145FA48DA5F784333B98D1141898641F14327C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDA32A04F2E009779.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDA32A04F2E009779.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE04CC008CF3D1B78.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE59181B330C32E2D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE845B009CBBBBBAE.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):0.9999484770533895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:eMMXukJveFXJfT5pHDpqISoedvPdvbCnuhnq9bnT3eTdStedvPdvxubS:uXaHTnHDUIciuBu7jep4
                                                                                                                                                                                                                                        MD5:9F6C1A48AD27E39C13B2517F90012F1D
                                                                                                                                                                                                                                        SHA1:1636DB1195562A3DF2D86564F67BDDFCE72EAB44
                                                                                                                                                                                                                                        SHA-256:1F53C4EE18B8EB8E2923773CAEA4321DBD4B59508025E9809A42B8B08853A391
                                                                                                                                                                                                                                        SHA-512:BEDBB4057C0116E63B1F2D16D3E54A9E0392891741E96589DAA09C480569A9C7E7B716FCA0CB63C6DD491A94E8F1FB4C83814130AEE8BE18C6C24A81075E8E63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE845B009CBBBBBAE.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEBB840BE3DD362D6.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF4E8FE80C7797540.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.255919286192415
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4gFukUPveFXJFT5bgvVqISoedGPdGfMnr0StedGPdGRubkZn:hFTtT1CoIB4oYZ
                                                                                                                                                                                                                                        MD5:4682EDEBE7418C882A6E4F828B39C336
                                                                                                                                                                                                                                        SHA1:F3EF97F1E0D9CE0705C6954115C5E4CDE9395938
                                                                                                                                                                                                                                        SHA-256:4931021E962D279234489C50CC7A2B22651A29F4628879126A09FE21D9F4AF2F
                                                                                                                                                                                                                                        SHA-512:DC4866A866D7787AE5AC4686FB376C61AD22143CA829D3534FFEBD79B12D80D2E62C76020792FF16CC1BF4DE5459F9102659CFF3D8B418F77B569008E783ECE0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF4E8FE80C7797540.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFF916F8E542E7C7E.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1628553906513457
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9bnT3eTXw:hybIciuBu7je7w
                                                                                                                                                                                                                                        MD5:C7CB35BA41F220E63A1134AFFA9866F8
                                                                                                                                                                                                                                        SHA1:5F734D27AD45CE8CD2334F18FAF45D8A3A0B95A9
                                                                                                                                                                                                                                        SHA-256:8C676C4CB8A5F0EC41AD835DD33A23BC55A3A0873271E5C524F2734DCE3F4931
                                                                                                                                                                                                                                        SHA-512:6352A07D96D2ACC8FFB58A231C0642210B893B743799A93EFB5FA51DF98B2D9DB9CCEBD8AF864A6960AE8C6B0863AA2EF7BC134C6B383A55A02C9C0A8B5BEF6B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFF916F8E542E7C7E.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.048363823752778
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:XgIgJgGQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:SVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:5D25A5D8D13FFAA5AC1786D690851632
                                                                                                                                                                                                                                        SHA1:27291DF461C550D693BFEAE923A63FF27391E155
                                                                                                                                                                                                                                        SHA-256:E104900680CB96704ADB5C023AC08D373C087626C89D98AAF4E1AFBE7F0D2A62
                                                                                                                                                                                                                                        SHA-512:2E74450D9C1837321A0B2DA9DEB958D4AD5C24D0BB161A32BC5AE1F14DC7F21953B0F91A9B9C2328E2FBAC579E1A4ACD25B2C2284A7D5DE1262CA2FD6758D196
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-03 12:19:06.1632|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:20:27.5725|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:22:34.0511|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-03 12:23:53.5980|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878654579666831
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:Infraccion-Multa.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:ca95e99d14a8ddfdf12406dd3d884888
                                                                                                                                                                                                                                        SHA1:a66e770830656fe38a6fddd566d4e35c02e07ca1
                                                                                                                                                                                                                                        SHA256:c3f805710d62fd6f1f1258a4c6c64ca0a5f69b3c650f3714a02cc691b7ffba30
                                                                                                                                                                                                                                        SHA512:18b7214eb14318ac143a1bfabe881e19fe35f4244e10c3b4b0ad1a774f692fa5202de171729605aa3ea0df3d48add67955db4ab11009834486b15180f31cb4a3
                                                                                                                                                                                                                                        SSDEEP:49152:C+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:C+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:ECD523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:10:27:14
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Infraccion-Multa.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff69ea60000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:10:27:15
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff69ea60000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:10:27:15
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:10:27:17
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 6591223B205D707BA6F325A467EDBE08
                                                                                                                                                                                                                                        Imagebase:0x650000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:10:27:17
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI466F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6702921 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x160000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1329264986.00000000042F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:10:27:18
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI49FA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6703640 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x160000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000003.1334354641.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000002.1392754612.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000006.00000002.1392754612.0000000004841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:10:27:24
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI61D8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6709734 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0x160000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000007.00000003.1397903526.000000000503E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F3C7ACDB760312621E2999EFF01041E2 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x650000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x560000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xc90000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xa20000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:10:27:26
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="ibarra3168@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ODucuIAD" /AgentId="5ea19671-d970-4e60-89b1-722649f3b810"
                                                                                                                                                                                                                                        Imagebase:0x1ecacc20000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1501466468.00007FFAAB604000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE98C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1493783437.000001ECC73CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE989000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAEA66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1490390918.000001ECAD0E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1493058761.000001ECC71AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD44000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE9B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAEA7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1493737340.000001ECC72B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1501992693.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACDB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD82000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE9B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000000.1421332845.000001ECACC22000.00000002.00000001.01000000.00000010.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1488317441.000001ECACD4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAE9BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.1492267116.000001ECAEA32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 24%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:12:17:03
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x244f9ac0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2295288201.00000244F9F10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2305626780.00000244FB18A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2240920259.000000E0570F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2301079436.00000244FB0C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2288124073.00000244F9B8B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244802FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480107000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244802FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244802EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2288124073.00000244F9B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2288124073.00000244F9BFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480084000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2292408482.00000244F9C70000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2301079436.00000244FB050000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2296793931.00000244FAD10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480694000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480476000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2301079436.00000244FB0AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480067000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244805FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244803C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2303594626.00000244FB0ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2329151775.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2303594626.00000244FB154000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244803B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244803B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2288124073.00000244F9B78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480198000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.00000244802B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.2242589005.0000024480001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:12:17:04
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff734810000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:12:17:04
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:12:17:05
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI8CE5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6720781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0x160000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1567660735.0000000004C97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1567660735.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000003.1508366399.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:12:17:44
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "1fc16f57-6eb4-4ae2-999f-a0059e46a084" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x15de1040000
                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1935837164.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1931526964.0000015DE1450000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1931745402.0000015DE14C2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1931975649.0000015DE1941000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000000.1891055349.0000015DE1042000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1930465528.0000015DE117D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1931975649.0000015DE19C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1930465528.0000015DE10F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1931975649.0000015DE19B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1930465528.0000015DE1131000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.1930465528.0000015DE1133000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:12:17:44
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:12:17:44
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "b169c455-145e-4bb1-8ab1-50dcde04909e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x2823b280000
                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1932095576.000002823BD1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B3EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B3B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1932095576.000002823BCA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1931857757.000002823B770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1932095576.000002823BCE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1932095576.000002823BCD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B436000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1933415725.00000282544C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B3B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1935804433.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B3CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1930670845.000002823B3F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1932095576.000002823BC61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:12:17:44
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:12:17:49
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d11576-3590-4185-9a38-cc8b3bdf45d0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x21543d60000
                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1948149338.00000215446B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1947301334.0000021544036000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1947301334.0000021543FB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1947301334.0000021543FB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1948149338.00000215446C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1947977774.0000021544250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1947301334.0000021543FEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.1948149338.0000021544641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:12:17:49
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:12:17:49
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x22cda150000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB50E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500498014.0000022CDA341000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB4F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500498014.0000022CDA36E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2654733713.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB1D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2608669984.0000022CF3464000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB518000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDAEF5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB409000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB62D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500498014.0000022CDA338000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2504104161.0000022CDA610000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2498081213.0000003F352F0000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499323416.0000003F354F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDACC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499088312.0000003F353F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB1CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2608669984.0000022CF33CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2491178901.0000003F336F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500498014.0000022CDA330000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF3764000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499774173.0000003F357F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500353718.0000022CDA200000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB516000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF3767000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB65F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDAD2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB54F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB17C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF36D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB217000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2608669984.0000022CF3399000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB512000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2500498014.0000022CDA3BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB617000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF3688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499472432.0000003F355F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB190000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB053000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDADDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2608669984.0000022CF33E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB51E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB228000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF37A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499918187.0000003F358F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDB1B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2499622561.0000003F356F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2618399069.0000022CF372E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.2505638725.0000022CDAF71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:12:17:49
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff734810000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:12:17:49
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:12:17:52
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "565525fa-351e-40ec-a343-6f2744ff6d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x228916f0000
                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2184887619.0000022891A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.00000228921FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2194932088.00000228AA9D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.0000022892001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2183822521.00000228919C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2183822521.000002289199C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.000002289222D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185262488.0000022891BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.0000022892229000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2193908329.00000228AA954000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.00000228921C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2183822521.0000022891980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2183822521.00000228919BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2183822521.0000022891A0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.00000228925E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.00000228921FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2193535658.00000228AA930000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.0000022892093000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2195115514.00000228AA9ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.0000022892163000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2185552488.0000022892298000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2212392989.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:12:17:52
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:12:17:53
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff759c90000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000003.2049099082.00000142B2127000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2049485693.00000142B2100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2049708275.00000142B23E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000003.1978769069.00000142B2400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2049485693.00000142B210B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2049485693.00000142B2123000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:12:17:53
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:12:17:53
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7ed160000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2046966892.0000019CD71B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000003.2045547001.0000019CD71E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2047374090.0000019CD71E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:12:17:54
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff6d2770000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:12:17:55
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "345e95c7-6808-46fb-8299-d48876510569" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x1dfa8b70000
                                                                                                                                                                                                                                        File size:72'744 bytes
                                                                                                                                                                                                                                        MD5 hash:5129E29D4D9A8ED94E04099622316B37
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2787070847.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2710720925.000001DFA9891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2700723829.000001DFA8DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2710720925.000001DFA9781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000000.2002012642.000001DFA8B72000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2710720925.000001DFA9883000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2766551156.000001DFC1E5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2700723829.000001DFA8E30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2710720925.000001DFA97FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2700723829.000001DFA8E7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2698696592.000001DFA8D10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2700723829.000001DFA8DFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2694455413.00000061556F1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:12:17:55
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:12:18:01
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x23e78db0000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114702922.0000023E78FB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2109546115.0000023E00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000000.2056898678.0000023E78DB2000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2116294333.0000023E79330000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114702922.0000023E78F7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114432540.0000023E78EA0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2120534612.0000023E7AEF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2109546115.0000023E005B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2120503047.0000023E7ACF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2115675181.0000023E79182000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114702922.0000023E78F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2120719229.0000023E7AF06000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2117333113.0000023E79FA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2117333113.0000023E7A031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114702922.0000023E78FB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2114702922.0000023E78FFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2109546115.0000023E000EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2132948601.00007FFB02DD9000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:12:18:01
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:12:18:01
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:12:18:16
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "eedd4cdd-5579-4207-ae57-b13ccd121903" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x2d4d31b0000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2330361315.00007FFB02DE0000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2286854496.000002D4EC383000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2255590261.000002D4D3CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2292174769.000002D4ED52F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251712890.000002D4D32F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2291303812.000002D4ED2A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251712890.000002D4D3374000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251712890.000002D4D3335000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2255590261.000002D4D3D9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251425774.000002D4D32A0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2286854496.000002D4EC402000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251712890.000002D4D32F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2254306094.000002D4D3550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2251712890.000002D4D332B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2255590261.000002D4D4267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2255590261.000002D4D3CC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:12:18:16
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:12:18:22
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "d2d2be46-3b57-4869-a6b9-15804b85d2e6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x209f2090000
                                                                                                                                                                                                                                        File size:177'704 bytes
                                                                                                                                                                                                                                        MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.00000209805EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.000002098059F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2439191857.00000209F332D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2427657808.00000209F2160000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2443302908.00000209F348B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.0000020980047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2452020258.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.0000020980073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2428332429.00000209F2289000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.0000020980001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2433137766.00000209F3260000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2428332429.00000209F2200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.00000209805E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2428332429.00000209F223C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2428332429.00000209F221B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.0000020980083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2399031709.00000209801D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:12:18:22
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:12:18:23
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff759c90000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2346957319.000001C373890000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2281878514.000001C3738B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2346643600.000001C373603000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2346643600.000001C3735EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000003.2346269765.000001C373607000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2346643600.000001C3735E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:12:18:23
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:12:18:23
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff7ed160000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000003.2342185102.000001262B543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2344707904.000001262B510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000003.2342913944.000001262B544000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2344873609.000001262B544000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:12:18:27
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "99606d51-99fd-437f-9dca-e8b9473d35de" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x20896910000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.0000020896A2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2748240282.00000208AFB50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2748240282.00000208AFBDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2748240282.00000208AFBA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2708999474.000002089747D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.00000208969A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.00000208969EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2706912193.0000020896EB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2748240282.00000208AFB58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.00000208969AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2708999474.0000020897311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2693864394.000000094D513000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2708999474.0000020897569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.00000208969E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2706502188.0000020896CE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000000.2321100224.0000020896912000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2697855430.0000020896A81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2748240282.00000208AFBF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:12:18:27
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:12:18:29
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x2a428220000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2344871020.000002A428515000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2348029883.000002A428760000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2344871020.000002A4284CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2348262212.000002A428C13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2344871020.000002A428490000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2344871020.000002A4284AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.2348262212.000002A428B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:12:18:29
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:12:18:32
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "36a6e7ff-f179-4645-aa27-c561b454e5ca" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x21aa2f90000
                                                                                                                                                                                                                                        File size:33'320 bytes
                                                                                                                                                                                                                                        MD5 hash:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2715321995.0000021AA3C0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2712915043.0000021AA37A2000.00000002.00000001.01000000.0000003F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2715321995.0000021AA3952000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA30B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2715321995.0000021AA3ABD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2715321995.0000021AA396F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2711924313.0000021AA3782000.00000002.00000001.01000000.0000003E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA3096000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA30FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2711398337.0000021AA33E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA30BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2693903632.0000002D9F560000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA307C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000000.2368008929.0000021AA2F92000.00000002.00000001.01000000.0000002C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2840252632.0000021ABC1FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2700828671.0000021AA3070000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.2715321995.0000021AA38F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:12:18:32
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:12:18:32
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "f8e916f1-5ec1-45cf-af7d-3313f4cd01ba" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x1cf69550000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2653786616.000001CF6B632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF0028D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF006EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2632890840.000001CF697F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2647061264.000001CF6A7B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2631638800.000001CF69640000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2632890840.000001CF697B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2653581424.000001CF6B427000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2632890840.000001CF6978B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF00532000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF0031B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2655398589.000001CF6B7C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF006F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF00283000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2693629738.00007FFB22780000.00000004.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2631918416.000001CF69770000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2693345585.00007FFB02EB9000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF006AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2632890840.000001CF697AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF003DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF006BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF000E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2654249143.000001CF6B649000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF0044A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2642284571.000001CF69A60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2646544993.000001CF6A7A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2653986357.000001CF6B635000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF00294000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2631918416.000001CF69779000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2551284476.000001CF0056B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:12:18:32
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:12:18:35
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 5ea19671-d970-4e60-89b1-722649f3b810 "5d15feda-d051-4164-a19c-70689c4a1b8c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000ODucuIAD
                                                                                                                                                                                                                                        Imagebase:0x232c0930000
                                                                                                                                                                                                                                        File size:200'744 bytes
                                                                                                                                                                                                                                        MD5 hash:680BAC4393DA4DAFE0100D9483D3B6E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2517968191.00000232C0AF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C19BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2523572336.00000232C0CD2000.00000002.00000001.01000000.00000032.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C15D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2585887796.00000232D9AD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C162C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0C02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C1497000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C1607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C155E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0C9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2585887796.00000232D9AF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C171B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C1554000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C13C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C19AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000000.2402109129.00000232C0932000.00000002.00000001.01000000.0000002D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0C0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0BCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0C4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2518593398.00000232C0BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2527720679.00000232C1682000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:12:18:35
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:12:18:36
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff69ea60000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000003.2545087834.0000021009770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003B.00000003.2475440163.0000021009837000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:12:18:37
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D91E01284641A82F51BC37F15E50E5A2 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x960000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:12:18:37
                                                                                                                                                                                                                                        Start date:03/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIF30D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6812500 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x160000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000003.2423466752.000000000468B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04551630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $q$$q
                                                                                                                                                                                                                                          • API String ID: 0-3126353813
                                                                                                                                                                                                                                          • Opcode ID: ea6c14b3e2406ffb81405259c868ea658bfdf1d3d3120096f44f6983ce7d564f
                                                                                                                                                                                                                                          • Instruction ID: 3aa1797485349d60ef748e0afd76a6658832dfd855b91c1182de30c77e1dada3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea6c14b3e2406ffb81405259c868ea658bfdf1d3d3120096f44f6983ce7d564f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E51CE35F016099FD714DF78D8606AEBBB6FBC9250B14812BE815DB360DB30AC02DB90
                                                                                                                                                                                                                                          Function 04551080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 64ed0a1769d2cd62aff73a00221fa9949423adc139c6fdeb18983946b6a9b665
                                                                                                                                                                                                                                          • Instruction ID: a3df5a2eba65f9f1c773294dcee57b3b1d33072661321fb51edcb6eced716e72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64ed0a1769d2cd62aff73a00221fa9949423adc139c6fdeb18983946b6a9b665
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F717335F006149FEB149B75D8647BEBBA7BFC8210F15802AE9069B3A0DF35AC429791
                                                                                                                                                                                                                                          Function 04550C1C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: af94baa47e7437e358e7689bd062adc597372c4b50b5085d6f0771f9591c077c
                                                                                                                                                                                                                                          • Instruction ID: 12c8018bde8c95b4b9b00e759fd346de953d2f2db2c21dad31659c6e96b782ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: af94baa47e7437e358e7689bd062adc597372c4b50b5085d6f0771f9591c077c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C51C430B04245AFF7149B64D8647BE7FB6EFC9314F14442AD806EB791CE786C069B91
                                                                                                                                                                                                                                          Function 04552644 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 2ff21ba72ba8d82f89335471d25ec295480a97dd3e50c32f46561f0a656f1b29
                                                                                                                                                                                                                                          • Instruction ID: a36052322c651c9f448ba849d5c1a1b8a5bfa2a7bc5ca041fd6ba77c6bbde909
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ff21ba72ba8d82f89335471d25ec295480a97dd3e50c32f46561f0a656f1b29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5316F21B093541FF7291B3464743BE3B9AEFC1614F0484BBEC05CB2A2DD68AC47A7A5
                                                                                                                                                                                                                                          Function 04552764 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ca13ea2132b5d86cb43e07637bb68c6cc3803268bc93ebb8cc4c1e86dc8ccc7
                                                                                                                                                                                                                                          • Instruction ID: 932e814d730b2b8d4348b9bf36280a4c18c69dc379567b561f2f217c6f75c8d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ca13ea2132b5d86cb43e07637bb68c6cc3803268bc93ebb8cc4c1e86dc8ccc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90E02BB0C052059FD790DF68D5865EB7FF4FA04100B2041BFD408C6210FA329943CFA1
                                                                                                                                                                                                                                          Function 045523B8 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce4d35a906b16dcbeb6fa8952c4036ce1d22650fe841a77025491634f5b65ff7
                                                                                                                                                                                                                                          • Instruction ID: e660dec166505443efb4e1ea4df85fc554237878fa11665b11aeae200d06717d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce4d35a906b16dcbeb6fa8952c4036ce1d22650fe841a77025491634f5b65ff7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6751D535B012159FD710CB68E8A4AAABBB5FF45314F1581E6E818DF272D731EC42CB91
                                                                                                                                                                                                                                          Function 04552268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40e0ccae002e403a0e7586e673b0570994f58462a35ff278204ce2f0ae90afa6
                                                                                                                                                                                                                                          • Instruction ID: bd02fc18c8add07e6310d56fc6ccf0f2b11ad675781207e85d6fcace1740db39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40e0ccae002e403a0e7586e673b0570994f58462a35ff278204ce2f0ae90afa6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2411C39B001189FCB54DF68D8909AEBBB2FF89710B14816AE905EB364DB31ED41DF90
                                                                                                                                                                                                                                          Function 04552664 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a05c51a75361f9931dde5530ad0d5a329592e67da102fd7498e16c754bf3c139
                                                                                                                                                                                                                                          • Instruction ID: a7122b1c2263194beb8c9ea07a5dfcceda2ff1391a71c80beb8d63ff916c0bbc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a05c51a75361f9931dde5530ad0d5a329592e67da102fd7498e16c754bf3c139
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67213535A423193FF71026A478797FB3F68EF82224F0144A3FD489A162D9249C87A7E1
                                                                                                                                                                                                                                          Function 04551050 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee1be3e2bc9c85e19e7def59f668524c0927dec2f8a20d83ba78298010786e4e
                                                                                                                                                                                                                                          • Instruction ID: 75ed0827bb8f52eea8e4f4784e1e83632db766e2a174b31ba7895d840fd1a3ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee1be3e2bc9c85e19e7def59f668524c0927dec2f8a20d83ba78298010786e4e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1621C732F012249BEB109B7598A07FEBFAAEFC4255F044067D906DB2A1EA34DD079791
                                                                                                                                                                                                                                          Function 04552258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4763cbf3df4a6aeeb1bea1674bccf29d6ee02ac3cd55f48c1f94a36129a509b9
                                                                                                                                                                                                                                          • Instruction ID: 990713019e0426fefa887e8381a46ab30acea70b60896ff7217e4cb0e19b69c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4763cbf3df4a6aeeb1bea1674bccf29d6ee02ac3cd55f48c1f94a36129a509b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3213875E102189FCB54DF69D8809AEBBF5FF8C710F10812AE815AB360DB319842CF90
                                                                                                                                                                                                                                          Function 04551958 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3bcf25c1e27c152d8caa0a4a8a8bbd8dafad245a9286de9bba8165cb0788af74
                                                                                                                                                                                                                                          • Instruction ID: 08fb2a010d1164f55533ac9be5dd47944ae204ac509697cd544e6c37479f27be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bcf25c1e27c152d8caa0a4a8a8bbd8dafad245a9286de9bba8165cb0788af74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2116D31A00254AFF714DF64D459AAABBF6EF8C310F108129E50ADB650CB74AC47CB90
                                                                                                                                                                                                                                          Function 04551378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1bb7b8afdc236094b8de16beb4339dabacd53a643169eec4d8c7b07f6cfec8af
                                                                                                                                                                                                                                          • Instruction ID: 29a7ed7cdceb179e6227be8b46d64d8ac91607a9e05879b4476c0e86d3fd516f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bb7b8afdc236094b8de16beb4339dabacd53a643169eec4d8c7b07f6cfec8af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F21F575D002099FDB14DFAAC481B9EFBF4FF48310F50852AD969A7240C7756905CFA1
                                                                                                                                                                                                                                          Function 04551380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 777b6de442ce1e36b77dea294d009d1183cb026f597e2c34279bee7fded87a8f
                                                                                                                                                                                                                                          • Instruction ID: 90603aba01d6ba6349bc055a970cf6585837f0952b816a9374da2823773851bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 777b6de442ce1e36b77dea294d009d1183cb026f597e2c34279bee7fded87a8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F11F474D002498FDB24DFAAC481BAEFBF4FF48310F50852AD959A7250CB756905CFA5
                                                                                                                                                                                                                                          Function 04551968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 137ab5eaaca7f699a82e4a63abac4273308a9bc09ca273052ca453c27848b51d
                                                                                                                                                                                                                                          • Instruction ID: edc03b62d7c3b7ae721ce10518c49a722949ddc5a094f732f3b60eeebbc69101
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 137ab5eaaca7f699a82e4a63abac4273308a9bc09ca273052ca453c27848b51d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37112E35A00255AFEB14DF54D455AA97BB6EF8C310F144019E50AEB790CB795C46CB90
                                                                                                                                                                                                                                          Function 04551440 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f9c9b6045d685c92084871b66bdf93a718f74678516e150112bb046eae7d6bc0
                                                                                                                                                                                                                                          • Instruction ID: 95743bcc90025c7d00ad666aeae2bd8fce6e0344ccfb9535cea4fbf50c7cfd02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9c9b6045d685c92084871b66bdf93a718f74678516e150112bb046eae7d6bc0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF01D830E093845FE7195F78787573A7FEAEEC2101B0518AEC98ACF961E925DC0A87D1
                                                                                                                                                                                                                                          Function 041BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1331522136.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_41bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6c7cc17158dbc6dcdcf0a74ecbaf64d056adf710c391f6d6aeb9f3d2fb631b6
                                                                                                                                                                                                                                          • Instruction ID: 00ebe0028f381daaa9ddfecaf34c9e5d6d218cd53e697c37424bd7eb4a674f20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6c7cc17158dbc6dcdcf0a74ecbaf64d056adf710c391f6d6aeb9f3d2fb631b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E01F7305087409BE7284E21FCC4BA7BF98DF41325F18C55AEC880B182C379A846CAF1
                                                                                                                                                                                                                                          Function 04551829 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 80723e5d113355fe33cca84e0845fa277b8372ebcc84fffdf85f3c4725447c67
                                                                                                                                                                                                                                          • Instruction ID: f2734126caae48235705c4d73b3eb03d2f4b1d9bf142f5541aea6b76eceabecb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80723e5d113355fe33cca84e0845fa277b8372ebcc84fffdf85f3c4725447c67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F018431E0460587E718EA6995647BFBEF6ABC8704F20442FD802F7390CF755C019B91
                                                                                                                                                                                                                                          Function 041BD006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1331522136.00000000041BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_41bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4c0511b9cec6137b5eb58a02dfe2142025c9648e94da8437f95087b7c20b0be
                                                                                                                                                                                                                                          • Instruction ID: d6ea276e09181143cf634a27ca271408f27579d64a6ee89cb568bec31fd9845e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4c0511b9cec6137b5eb58a02dfe2142025c9648e94da8437f95087b7c20b0be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35015E7100E3C09FD7168B25DC95B52BFB4DF43224F1981DBD8888F1A3C2699849CBB2
                                                                                                                                                                                                                                          Function 04552A98 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 258cc6749932dcec91ae230d4eb5a4e1b36d0023d01e9827bc25619b167716a7
                                                                                                                                                                                                                                          • Instruction ID: 8ce297b2c40454697168e2b5fe3982d4d6e77a349799559547e81e4b9df2ae23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 258cc6749932dcec91ae230d4eb5a4e1b36d0023d01e9827bc25619b167716a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2F02B2670521017D3355A16B4E46BB7B5AFFC4614F0840ABFD08C7261E9645C026BA1
                                                                                                                                                                                                                                          Function 045525D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 860a771e86713aac66ae4fff14b17dc7b1e510bb3237172e4f82ccc198b34cd0
                                                                                                                                                                                                                                          • Instruction ID: 315a4605977c8eedfe2261abd0c45086f5ebd3b81b1e84a59c65a3f13753d273
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 860a771e86713aac66ae4fff14b17dc7b1e510bb3237172e4f82ccc198b34cd0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F0E036B101045FE7585558E4995FF7776DBC8211F21803AE806A7280FF645D0BC791
                                                                                                                                                                                                                                          Function 04551431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cba3ab4e69cf63c99620eff9b09b77b14cfc31a9705da36eb5dcbb465a05ef11
                                                                                                                                                                                                                                          • Instruction ID: c95b653637b05a4dc3e940785c3d889c104d5cd775d3ed4bcd1560bca1c61681
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cba3ab4e69cf63c99620eff9b09b77b14cfc31a9705da36eb5dcbb465a05ef11
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C230E083845FE7186F78647573A7FDBFEC1201B05186E898ACF950E934D80687D1
                                                                                                                                                                                                                                          Function 045525E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5c34b5b0d74b04ce5c71fca8a81ede2cf4d18a9b399fe5eb10c0f6a1e3694105
                                                                                                                                                                                                                                          • Instruction ID: 3ba0549f44cc0a5c31acf714a5ce5a91c9079699f98e294600712e25edf09558
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c34b5b0d74b04ce5c71fca8a81ede2cf4d18a9b399fe5eb10c0f6a1e3694105
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECE0E536F101585BCB089668E4645FDBBBAEBC8211F118036E812B3340EF706D19CB90
                                                                                                                                                                                                                                          Function 04552654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ad8490375d42807c258c007ed8e5c8843e59a78236780c36fbea80be6630fde
                                                                                                                                                                                                                                          • Instruction ID: 6d87f2dbc59aa597260e8b3c858d8215f77c91260c91a1ac7c96a264ec2dcdff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ad8490375d42807c258c007ed8e5c8843e59a78236780c36fbea80be6630fde
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7E0922071431902FB3C296464307B636CE6B80A28F004DBBFC0287651EAD4F84537E2
                                                                                                                                                                                                                                          Function 04552590 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b63969af59a054787c54aca1bdf57256925e5f8b93152e8df430774802425a91
                                                                                                                                                                                                                                          • Instruction ID: 5178b7397e6b7c6e2ac306e85ad129b6679bf5f37f2c83c44db7ae90df91f258
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b63969af59a054787c54aca1bdf57256925e5f8b93152e8df430774802425a91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56E0C2B550A3401BF7229770B8D65CE3F11EE801053024892D0819F523EF10AC9B83D3
                                                                                                                                                                                                                                          Function 045517F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f31d7135671c9d43c08d47a40958df345f898d88bfe9760f8f0bbb0b1b3f9de0
                                                                                                                                                                                                                                          • Instruction ID: b56b70ed92da76a5c23a9460a4727f5dd0bd4789effdff21ac7e8cef5759add6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f31d7135671c9d43c08d47a40958df345f898d88bfe9760f8f0bbb0b1b3f9de0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24D02B363591441FC3059754B45B4E57F7DEB561203044067F84587262DE210C82C7D1
                                                                                                                                                                                                                                          Function 04550C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b2a3011bbce190a5a9e3928779e0f917156a63a8543bce482fa914e42398b89
                                                                                                                                                                                                                                          • Instruction ID: cf09972f706f185358c5fb86c890f55142205cf6fa34b075016845ad53e1c697
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b2a3011bbce190a5a9e3928779e0f917156a63a8543bce482fa914e42398b89
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDD0973231010C2B62102214C855ABABFACF7842603004423FC0283320DE307C019385
                                                                                                                                                                                                                                          Function 04552A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 46c84127722fffe039bae2055f80a3c65db0953df07c64fd36e1b190ec65f1be
                                                                                                                                                                                                                                          • Instruction ID: 9b8833e49103d1c5b1c247f3ec5af0e199bd1a9e351c66c7cd912a9440d07db5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46c84127722fffe039bae2055f80a3c65db0953df07c64fd36e1b190ec65f1be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CE0E2B4D002099F8780EFB9855156ABBF4BB48204F2085AAA809D7210FA32AA02CF91
                                                                                                                                                                                                                                          Function 04550440 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1330151200.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_4550000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5a0256a5049ebf228fe658665e5f851c3d7b6eb814b4155247f3c905a67681f9
                                                                                                                                                                                                                                          • Instruction ID: 80882af1684718bb180c436351d00a669907d7e6ce536f08a99889e7340bcd97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a0256a5049ebf228fe658665e5f851c3d7b6eb814b4155247f3c905a67681f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51D01272A583409FD309460814145FEF7F8FAE271AB45C6AB808488812532984079522

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 06DA0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391138762.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6da0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;q
                                                                                                                                                                                                                                          • API String ID: 0-705206692
                                                                                                                                                                                                                                          • Opcode ID: b9bc45b30cd96448e089fee29b17b08f45e8ced5e9564bd0ded594035a449214
                                                                                                                                                                                                                                          • Instruction ID: 764ad5c49573626f71d4696b291e81030d4e6062ca46f35f3dd999d200063d5d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9bc45b30cd96448e089fee29b17b08f45e8ced5e9564bd0ded594035a449214
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E225C30E10719CFDB54DF64C88469DB7B2BF89304F1186A9E946AB351EB70E985CB90
                                                                                                                                                                                                                                          Function 06CB746A Relevance: 20.9, Strings: 16, Instructions: 919COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                          • API String ID: 0-2092175375
                                                                                                                                                                                                                                          • Opcode ID: 081b129fc436adedf31904456d888def5e759cd22b4f8cda0dbe62106f647840
                                                                                                                                                                                                                                          • Instruction ID: 8110f3644dede98ddf0d45232e5c81237e355d16723d0cc8473186dfe4d3001a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 081b129fc436adedf31904456d888def5e759cd22b4f8cda0dbe62106f647840
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BA2E334D002589FEB259F61D854BEDBBB2FF8A300F1445EAD5096B260DE319E85DF81
                                                                                                                                                                                                                                          Function 06CB74C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: q$$&q$(_q$4'q$4'q$4'q$4'q$4cq$4cq$@bq$|-q$$q$$q$cq$cq$q
                                                                                                                                                                                                                                          • API String ID: 0-2092175375
                                                                                                                                                                                                                                          • Opcode ID: 49ae8849d816aa85127e028be149771ae1e45c5f143ee3ac6daa3162a7cbafbe
                                                                                                                                                                                                                                          • Instruction ID: e68e56f9cb038fa07fdb71b7645f4833e971c9b282dab7b2d4a4c5ca7a29a49e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49ae8849d816aa85127e028be149771ae1e45c5f143ee3ac6daa3162a7cbafbe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5792B234D002189FEB259F61D854BEDBBB2BF8A301F1445E9D5096B260DF319E85DF81
                                                                                                                                                                                                                                          Function 06CBB688 Relevance: 6.5, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$\;q$l;et$?et$|q
                                                                                                                                                                                                                                          • API String ID: 0-1828330019
                                                                                                                                                                                                                                          • Opcode ID: c3ffd4d4b8f119c4e35684365118935668b0135524f472c09cbb1eca721980ce
                                                                                                                                                                                                                                          • Instruction ID: 6dcddf00f2368060b2071e41dca9d8fc478c5198eb88af3c9c37e047121da885
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3ffd4d4b8f119c4e35684365118935668b0135524f472c09cbb1eca721980ce
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2061D375F042164BE7549A3A9850ABFB7A7AFC4244F24902AE806DB394EE31DD0387E1
                                                                                                                                                                                                                                          Function 06CBBAD8 Relevance: 3.9, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$(q$(q
                                                                                                                                                                                                                                          • API String ID: 0-2103260149
                                                                                                                                                                                                                                          • Opcode ID: 6ddff5c4405898d9082b5d00817fc920cda8d9233618ae0d739e614e4c4fa50b
                                                                                                                                                                                                                                          • Instruction ID: f3a822dd65fadcca5513dfed8f10d934894bdadbdf273a0740efacfa680c6b6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ddff5c4405898d9082b5d00817fc920cda8d9233618ae0d739e614e4c4fa50b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5051C231B002154FEB14EF79D454AAE7BE6FFC4650B1440AAE90ADB360EE31ED01C795
                                                                                                                                                                                                                                          Function 06CB85C0 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$d
                                                                                                                                                                                                                                          • API String ID: 0-1617062230
                                                                                                                                                                                                                                          • Opcode ID: 8e2c9e9ce1bb274d7eb60f5aa249057de0972c88236f342af058fa305b2a2192
                                                                                                                                                                                                                                          • Instruction ID: 422e3cc4526e375fc9d418427484943f11a57dabcd3358964c9eaa3db9406881
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e2c9e9ce1bb274d7eb60f5aa249057de0972c88236f342af058fa305b2a2192
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03028934A016058FDB64CF29C480AAABBF6FF88314B25C669D45ADB365D730FD46CB90
                                                                                                                                                                                                                                          Function 06CB6C20 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$|7et
                                                                                                                                                                                                                                          • API String ID: 0-2073623880
                                                                                                                                                                                                                                          • Opcode ID: c3fd2bd7df9f0e39f484832e745e7da487dbdca4dd0fd05acc52add0f7445291
                                                                                                                                                                                                                                          • Instruction ID: f3bda75f7394ae669a7e4ae27882d19ebb1b299c92d115e276fed280574ab694
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3fd2bd7df9f0e39f484832e745e7da487dbdca4dd0fd05acc52add0f7445291
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42C1B130B002158FD764DB6AD454AAEBBF2BFC8210B28956DE846DB354DF30ED42CB95
                                                                                                                                                                                                                                          Function 06CB1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $q$$q
                                                                                                                                                                                                                                          • API String ID: 0-3126353813
                                                                                                                                                                                                                                          • Opcode ID: adad08f92fc74fa322e634902a4558798ddf3052d04d991dea8f7fb5bcd51964
                                                                                                                                                                                                                                          • Instruction ID: 97b33f855157645dbab4757257a72a5c22d2bedc3207fce70026c0924750f365
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: adad08f92fc74fa322e634902a4558798ddf3052d04d991dea8f7fb5bcd51964
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8051C035B012099FDB64DF79D8506EEBBE6FFC9250F18812AE815E7360DA309D02C7A1
                                                                                                                                                                                                                                          Function 06CB4EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$4'q
                                                                                                                                                                                                                                          • API String ID: 0-1357480937
                                                                                                                                                                                                                                          • Opcode ID: 4be77bf2fdb60f32bb557ceb80015c3039ca02251b6f0a72cda5580f5814370f
                                                                                                                                                                                                                                          • Instruction ID: fe62ebcae314a77f822216e7faf9812862c880ca4a9e92db99328c4e27c2ff8a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4be77bf2fdb60f32bb557ceb80015c3039ca02251b6f0a72cda5580f5814370f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C441ED30B042068FDB58EF68D85069E77E2BFC8245B64855DD40ACF359DE34ED06CBA6
                                                                                                                                                                                                                                          Function 06CBA228 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$(q
                                                                                                                                                                                                                                          • API String ID: 0-2485164810
                                                                                                                                                                                                                                          • Opcode ID: 7c4cc12b39a38473eb5786ccb9c3b8d99b1e50ff8b70fde76a738505808f7fe2
                                                                                                                                                                                                                                          • Instruction ID: bf643f418e167a67e524800fbb3c6db4afe6055738832cc1a944540c4f3d6106
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c4cc12b39a38473eb5786ccb9c3b8d99b1e50ff8b70fde76a738505808f7fe2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C411634F042449FE715CFA5C854B9EBBF2EF89610F24809DD845AB391CA35ED02CBA5
                                                                                                                                                                                                                                          Function 06CB30EC Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$LRq
                                                                                                                                                                                                                                          • API String ID: 0-2259313658
                                                                                                                                                                                                                                          • Opcode ID: 9265d89d874cb7559f36ab79cd97ee7f0bfbace8e7b28dcc34418097c6e096a0
                                                                                                                                                                                                                                          • Instruction ID: 2f95333f831da1fdd9e2e247671afdc101847dd61a2a3378e2b0978dee52c544
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9265d89d874cb7559f36ab79cd97ee7f0bfbace8e7b28dcc34418097c6e096a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6412434B042849FEB589B7998147BE3BA7EFC9604F04816EE80ADB391DE78DD01C791
                                                                                                                                                                                                                                          Function 06CBEA88 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$T;et
                                                                                                                                                                                                                                          • API String ID: 0-386171901
                                                                                                                                                                                                                                          • Opcode ID: 7512041a6f94ebb5265ea19b906f58e2e9102bb4ab149bde949794d82ec66786
                                                                                                                                                                                                                                          • Instruction ID: 82b0f92ae699e578d4404c8d390bf185f656798b3a04c63483fd3a0a7c3427bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7512041a6f94ebb5265ea19b906f58e2e9102bb4ab149bde949794d82ec66786
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A310031B102154FEB589B6ED8559AEBBE6FFC8690B144139E906CB350DE30ED028BA5
                                                                                                                                                                                                                                          Function 06CBE1F0 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aq
                                                                                                                                                                                                                                          • API String ID: 0-165228061
                                                                                                                                                                                                                                          • Opcode ID: cc14b5fc695d927e497f860fe20ef6b7b96c372b496c11ced2b8e93505993a1c
                                                                                                                                                                                                                                          • Instruction ID: 2e0ded9dda9882aae23b4b2eb651bbf42073e4ebd1735b68c315aabe37d240c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc14b5fc695d927e497f860fe20ef6b7b96c372b496c11ced2b8e93505993a1c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFC17C70B102199FDB54DFA9D894AEEBBB2AF88740F145129D902EB350DF70DD06CB91
                                                                                                                                                                                                                                          Function 06CB99B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 101f68b1419a3a99a04c2143feba5b900eb3d7d5098309a11b08a45863c51da6
                                                                                                                                                                                                                                          • Instruction ID: 2b0b658a33794c9f5b76f084f82d8048f3e3efe664c76ad592974f7b5bcc1a75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 101f68b1419a3a99a04c2143feba5b900eb3d7d5098309a11b08a45863c51da6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEE13934E003598FDB55DF69C888A9DBBF2BF8A300F148199D909AB365DB70ED46CB50
                                                                                                                                                                                                                                          Function 06DA9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06DA9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391138762.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6da0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: 517c697b7c58e8b22fee1dd3ba78d8d57d392a5c9c382d03c30e133c6e623663
                                                                                                                                                                                                                                          • Instruction ID: 7188e7defd1914ee05a155d284bfa56a831fc519780a9cea4861909935ca045c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 517c697b7c58e8b22fee1dd3ba78d8d57d392a5c9c382d03c30e133c6e623663
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0112C36E053049FDB60CF7AD8403EDB7B5EB88364F188625D91563294EB36E948CB54
                                                                                                                                                                                                                                          Function 06DA9FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06DA9FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391138762.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6da0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: be892bafff9d660a93a1808e93fb70d08ccc2602b4f21b674fe6f225efdf661b
                                                                                                                                                                                                                                          • Instruction ID: 9788bb6f17b3f47e7f975b164a1d2be655b4c541f8c40a927cb7aa911a1e4b03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be892bafff9d660a93a1808e93fb70d08ccc2602b4f21b674fe6f225efdf661b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B112735D0A3449FDB648F35C8443ED7B659B49264F188318D91163294EB32D848CBA4
                                                                                                                                                                                                                                          Function 06CBBE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qfl^
                                                                                                                                                                                                                                          • API String ID: 0-1931398726
                                                                                                                                                                                                                                          • Opcode ID: d5c9286314b9abe2b344f37ba015eb44bb70875d5579c6d19e93a0232e04ffc9
                                                                                                                                                                                                                                          • Instruction ID: 6d6f08f9d4878abf19e7c9071d3327872ec7843ca4c5c81843c233d1629f4757
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5c9286314b9abe2b344f37ba015eb44bb70875d5579c6d19e93a0232e04ffc9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0B16E78B007118FDB54DF35D9849AABBF2BF88200B148669D946DB365DF30ED06CB91
                                                                                                                                                                                                                                          Function 06CB1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 0ed9fbd18f4b78befb50177b2d994f5cc239fd4229ce106978a8cdfc3e7fe8d1
                                                                                                                                                                                                                                          • Instruction ID: d80e7d53ef25b88a0af7e5d474be6cbb00bbb708029222a65171491e93f8a257
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ed9fbd18f4b78befb50177b2d994f5cc239fd4229ce106978a8cdfc3e7fe8d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F71A735F002189FEB549BB5C8547AEB7A7BFC8214F188129E906DB760DE34DD02D791
                                                                                                                                                                                                                                          Function 06CBBE33 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Qfl^
                                                                                                                                                                                                                                          • API String ID: 0-1931398726
                                                                                                                                                                                                                                          • Opcode ID: 0c839d75b2f9c43491200830d282de1ac0eefccfda00466a13e815aadd150eb7
                                                                                                                                                                                                                                          • Instruction ID: 818323ebe5c9aa499911b86ae8bd7e8e0646300196f5f39bc49137a8a223fecd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c839d75b2f9c43491200830d282de1ac0eefccfda00466a13e815aadd150eb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A717A78B003118FDB55DF39D8949AEFBF2BF89200B048669D9469B355DB30ED06CB91
                                                                                                                                                                                                                                          Function 06CB6048 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: b9987b2a0351411fc61a5beb6fae84c78ab7496b9c6c30ce1e24f9b747b50e5c
                                                                                                                                                                                                                                          • Instruction ID: bd2ac3654820c7dfd02104edfa0d21a6f743b409dd9f267615ce25fc77f34d4f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9987b2a0351411fc61a5beb6fae84c78ab7496b9c6c30ce1e24f9b747b50e5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B711A34E003189FEB15EFE4D850B9EBBB2EF89310F104069D547A77A0DE356D46AB62
                                                                                                                                                                                                                                          Function 06CB68E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: aed8a3b37be5738f54940473c678ad00befc7809b4f42b1b99d8c8ebabcd2ba2
                                                                                                                                                                                                                                          • Instruction ID: 1214b0ce4d6397c503310ac6a00c807648979436b7c760277572a623969fa652
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aed8a3b37be5738f54940473c678ad00befc7809b4f42b1b99d8c8ebabcd2ba2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9614B3AB002059FCB55CF69D88099ABBF6FF8D300B1581A9E609DB321D731ED15DB90
                                                                                                                                                                                                                                          Function 06CBE7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<et
                                                                                                                                                                                                                                          • API String ID: 0-2450853546
                                                                                                                                                                                                                                          • Opcode ID: 9b04c08dbe8d42a369a2ed9b368e4ad5b41bab0ccc0928b615c88f75ba42b0ad
                                                                                                                                                                                                                                          • Instruction ID: 2b0c00c32d9f269b6cf279a97c11d416f903b0582378d6da2fc4fe00e6f9d980
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b04c08dbe8d42a369a2ed9b368e4ad5b41bab0ccc0928b615c88f75ba42b0ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88615B30B002049BDB949B69D5986EEBBF7AF88A44F24842DD406EB354DF70ED05CBA1
                                                                                                                                                                                                                                          Function 06CB6C10 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: |7et
                                                                                                                                                                                                                                          • API String ID: 0-1852512746
                                                                                                                                                                                                                                          • Opcode ID: 419bc583239124e3154666b18e405d674d0524fdae5832f61784c2e619e9d1c6
                                                                                                                                                                                                                                          • Instruction ID: cf212296c6c6551642d303f165e008addfc8e938ec4204fe371173d8e769dc4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 419bc583239124e3154666b18e405d674d0524fdae5832f61784c2e619e9d1c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE51A130B002068FCB54DB69C850AAEBBF2FF84210F158169E806DB3A5DB30ED05CB91
                                                                                                                                                                                                                                          Function 06CBC4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 4ede11ad04e29a291fb327c484d56910a795b65e6b7e40e4cb73bc6077388552
                                                                                                                                                                                                                                          • Instruction ID: 2d5dafe9a55d6d20ad2d7dae1c7cedcb3db6d1f3ceaab3e4bcf48d0b0a5ef5dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ede11ad04e29a291fb327c484d56910a795b65e6b7e40e4cb73bc6077388552
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2951D0357047418FD325DF35D494A6ABBE2EFC5200B0886ADD44ACB766DE30ED0ACB91
                                                                                                                                                                                                                                          Function 06CBE428 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Aq
                                                                                                                                                                                                                                          • API String ID: 0-165228061
                                                                                                                                                                                                                                          • Opcode ID: 2e534d1aaeb1d1464553e3a47b2c6993c19ae10e7d389c271be0ec476c88fa6c
                                                                                                                                                                                                                                          • Instruction ID: 55a83d5ef08c428352a576b0e9b9ee9c4a0980d7eaa9a1d0ef5476702155c555
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e534d1aaeb1d1464553e3a47b2c6993c19ae10e7d389c271be0ec476c88fa6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C418E70B102149FDB54DFA9D858AEEBBB6FF88640F144529D902EB350EF70AD05CB91
                                                                                                                                                                                                                                          Function 06CBE7C7 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: L<et
                                                                                                                                                                                                                                          • API String ID: 0-2450853546
                                                                                                                                                                                                                                          • Opcode ID: 689d9746274ca629df630b6dc69c4c78640749e940adeef0aaf3f610933c33e1
                                                                                                                                                                                                                                          • Instruction ID: 650ac8b63d20fe9c38fe831dd64258a200baf3b0b4a705dae0d7e3ea6fc2a056
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 689d9746274ca629df630b6dc69c4c78640749e940adeef0aaf3f610933c33e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B418031B102049BDB549B69D8547EEBBF7AFCCA40B24842DE406EB354DE70AD058BA1
                                                                                                                                                                                                                                          Function 06CB85B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: dbd558fb7b1ae5d16c8e92ab4790e7c79ef8eb8cf7f8089e6c27b8a031779fa0
                                                                                                                                                                                                                                          • Instruction ID: cfbc1524ee09abdf70b88200dde4f3978d0a64f6fc95d15e6d939171080d7536
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbd558fb7b1ae5d16c8e92ab4790e7c79ef8eb8cf7f8089e6c27b8a031779fa0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C641AB34B006048FDB54CF69C480AAAB7F6FF89314B1596A9D41AEB361DB30ED41CB94
                                                                                                                                                                                                                                          Function 06CB3719 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: 765d56ca1257a02eefa116ccf86e7c9cfb7a904c6704dfb9573ba56e3ceffc2d
                                                                                                                                                                                                                                          • Instruction ID: 7b428a894bc7c2c4d47683dce9dae223c413756ed3bf04976189ba72e0c0c9d9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 765d56ca1257a02eefa116ccf86e7c9cfb7a904c6704dfb9573ba56e3ceffc2d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6212771B00285AFDB98CA299C447BF3BAAEFC5204F14512EE40AD7291EB74DE00C751
                                                                                                                                                                                                                                          Function 06CB4EB2 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 4'q
                                                                                                                                                                                                                                          • API String ID: 0-1807707664
                                                                                                                                                                                                                                          • Opcode ID: 214a00879715bd9adc3fec844e7daa2fff36eda2053c75cd4b6c2591b805a2fe
                                                                                                                                                                                                                                          • Instruction ID: 1064bd794edd5c7d147e91af78dcf2478f23122bdc8d330d52977d79befa0672
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 214a00879715bd9adc3fec844e7daa2fff36eda2053c75cd4b6c2591b805a2fe
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD319231B0030A8FDB64DF68D880A9EBBE2FFC5205F148559E8058F356DB30E906CB92
                                                                                                                                                                                                                                          Function 06CB45C8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: dedffe4c08fe081cdd704e4b4981a4f702a669ab13fd31ad3e3aee97a691349d
                                                                                                                                                                                                                                          • Instruction ID: 9aefc398f1e156096bfed218bb2f3d9cd58f7b54659f49ce5eb3d3fbc785b362
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dedffe4c08fe081cdd704e4b4981a4f702a669ab13fd31ad3e3aee97a691349d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE2125347042009FDB18DB2DE810A6A77E7EFCD21071980A9E60ACF356DB31EC06C7A5
                                                                                                                                                                                                                                          Function 06CBAAA7 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: l
                                                                                                                                                                                                                                          • API String ID: 0-2517025534
                                                                                                                                                                                                                                          • Opcode ID: 74e6d067b46178b957f034a808977ce81e556d07ea72797126b828911ce4293c
                                                                                                                                                                                                                                          • Instruction ID: c00ce803af941850c582bd1f8483a410127e1ce5634731f540aff35550d36a84
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74e6d067b46178b957f034a808977ce81e556d07ea72797126b828911ce4293c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6319E34E053499FDB51DFA4D450AEDBFB1EF49200F40049AD881EB351DA306A45CB92
                                                                                                                                                                                                                                          Function 06CBAF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;q
                                                                                                                                                                                                                                          • API String ID: 0-705206692
                                                                                                                                                                                                                                          • Opcode ID: 3a4d0a2b3a43c2a07e5dc256bc8403ccc234f07474a470951ce0b2af2b29fd6f
                                                                                                                                                                                                                                          • Instruction ID: 16bf5f07d21ec8098cc2fde3e9816092c1599700d6513c573e626919ff227ffe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a4d0a2b3a43c2a07e5dc256bc8403ccc234f07474a470951ce0b2af2b29fd6f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04117072B042114F9B649AEEB484A9BB7DBEFC8165714803EF60EC7B54DE71EC024360
                                                                                                                                                                                                                                          Function 06CB5F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: 831d936a333d36e6722c86941b0d7562b9e9269ed8cfbf52023f6d6dbe936c52
                                                                                                                                                                                                                                          • Instruction ID: 4f96a087330d7fcfbb431d30b52a39c1405fe896fa266676962811aa5e7e80f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 831d936a333d36e6722c86941b0d7562b9e9269ed8cfbf52023f6d6dbe936c52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB216F34B10108DFD7589F6AD459AAEBBF6FF88610F148019E902E73A0DE70AD01CB95
                                                                                                                                                                                                                                          Function 06CB5F47 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRq
                                                                                                                                                                                                                                          • API String ID: 0-3187445251
                                                                                                                                                                                                                                          • Opcode ID: aef344c3024bb2134201dadfa561e41e0d72e8ce231b52aa80a01291eee62578
                                                                                                                                                                                                                                          • Instruction ID: c6ec6f2847e89c14181af844685ccfd092d932012efe3bcd8c922f88db775c3c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aef344c3024bb2134201dadfa561e41e0d72e8ce231b52aa80a01291eee62578
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45215134B10104DFD7549F69D459AAEBBF6EF88610F148019E906E73A0DE719D01CB95
                                                                                                                                                                                                                                          Function 06CB3370 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq
                                                                                                                                                                                                                                          • API String ID: 0-2523619172
                                                                                                                                                                                                                                          • Opcode ID: cc849b4499cca166bd26f66541fe3b479434146a05f5a7c4301be993e6c0abcd
                                                                                                                                                                                                                                          • Instruction ID: 31114afb4f1a6d0836b2849154c7166e23e4a8356ac4f9d95ec88772dcfdacb7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc849b4499cca166bd26f66541fe3b479434146a05f5a7c4301be993e6c0abcd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95116D79B011146FDB489FA998449BE7FBAFBC8710F108129F906D7340DE359D069B91
                                                                                                                                                                                                                                          Function 06CB0C1C Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: ae249f6b82003e7d2bbe958560b782bf445852fea31c14da9dca7aacb2b52ce2
                                                                                                                                                                                                                                          • Instruction ID: debd4441063e56ba5098d7b76baf3af094a4526ef6b917329e45a3396734213e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae249f6b82003e7d2bbe958560b782bf445852fea31c14da9dca7aacb2b52ce2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA11C231F042455BF798AB6998243FF7AE7ABC9200F29546ED502F7381CE365D0583E6
                                                                                                                                                                                                                                          Function 06CB3380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fq
                                                                                                                                                                                                                                          • API String ID: 0-2523619172
                                                                                                                                                                                                                                          • Opcode ID: 8af1b1e6f19ee94595a488320e34dda9dd25ea60f15b597d31159123cb0449e5
                                                                                                                                                                                                                                          • Instruction ID: 92df2e1c3472b34621b07833ac89e81fbb47cf8d8dc63f95f133cdd1640e6f7a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8af1b1e6f19ee94595a488320e34dda9dd25ea60f15b597d31159123cb0449e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64115A79B002145FDB44ABAA98449BEBFBAFB88600F008029FE06D7340DE359D168B91
                                                                                                                                                                                                                                          Function 06CB57B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q
                                                                                                                                                                                                                                          • API String ID: 0-2414175341
                                                                                                                                                                                                                                          • Opcode ID: 8e04716ea11514890e8ab00652442f867287a89fadc69f0c6b6db350b42eee7b
                                                                                                                                                                                                                                          • Instruction ID: 7d113bcced30225bd099f21fae22277e2b8cefc00c838e071f9d126892cc482a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e04716ea11514890e8ab00652442f867287a89fadc69f0c6b6db350b42eee7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B01D4247083004FE7159B39D850A6D3BD7AFC911031885ADD54ACF7A1EE25EC07D391
                                                                                                                                                                                                                                          Function 06CB858F Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ~
                                                                                                                                                                                                                                          • API String ID: 0-1707062198
                                                                                                                                                                                                                                          • Opcode ID: 10b5b5393340e690a4dcf90e4dd692d56e875543b2f645b07f1e76db5aad4e25
                                                                                                                                                                                                                                          • Instruction ID: bce9202b72b8519d6a102f2fbac7e529f3c681ea7c67f1d91b75f5a9d6b7358c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10b5b5393340e690a4dcf90e4dd692d56e875543b2f645b07f1e76db5aad4e25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87017B76F0A3408FEF50CFB8E444A997B65AFD5210B1841AEE5168F366D732DC09D728
                                                                                                                                                                                                                                          Function 06CBEA75 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: T;et
                                                                                                                                                                                                                                          • API String ID: 0-49768287
                                                                                                                                                                                                                                          • Opcode ID: d0ed128f1ddd9af8626ab3d30dc0f19991fdafab00e5599813b8189d6f30b1df
                                                                                                                                                                                                                                          • Instruction ID: f049dc312fd01accfbf9f9789820c22b20de27a69de9e5e21a4a1bc2ddb556d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0ed128f1ddd9af8626ab3d30dc0f19991fdafab00e5599813b8189d6f30b1df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16F059363092001FC70526AD88548ABBFFFAFCA52031941BBE008CB362DD559C0687B3
                                                                                                                                                                                                                                          Function 06CB99A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd89e6a023cc4bd6088faa3f09c60709fc296f5b911cbb28f3a126bddf811a67
                                                                                                                                                                                                                                          • Instruction ID: 8980ce99d24b2d70d3163e0bc3f10d81c764da53a08c6f01d58bedfe4873450e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd89e6a023cc4bd6088faa3f09c60709fc296f5b911cbb28f3a126bddf811a67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73D1F534E003598FDB55DFA9C888A9DBBF2BF8A300F148199D909AB365DB70ED45CB50
                                                                                                                                                                                                                                          Function 06CBABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ee01e75e20551e69a8531a8522e311eac3d7f5142e9345f0805de0cb4385473
                                                                                                                                                                                                                                          • Instruction ID: 0781b6c5137226cc5e69d5f8ea1d99c6b3ce9a1073f46292cd4a53e06d62e213
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ee01e75e20551e69a8531a8522e311eac3d7f5142e9345f0805de0cb4385473
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6510834B101018FDB98AF7AD498A6A77E6FFC9711B2994A9E446CB371DE31DC01CB80
                                                                                                                                                                                                                                          Function 06CB5482 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 532d52c0056baab7a83f290f8c4a3ae59c760b9c973720e5267b9796d71cc487
                                                                                                                                                                                                                                          • Instruction ID: 4625e796f299319436c70834cdbd11d3f055bddc7afe5763f2f1dceade91d8ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 532d52c0056baab7a83f290f8c4a3ae59c760b9c973720e5267b9796d71cc487
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B51DE74E0020A9FDB55EFE4E8546AEBBB2FF88201F504419E916A7350DF352D05DF62
                                                                                                                                                                                                                                          Function 06CB60D9 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 990ea63f21fdc287aedc262e9bf2d0092fcb8e65c13ac4861f2218e1e358c742
                                                                                                                                                                                                                                          • Instruction ID: fac855cd756300aa72da9efd17bd67dbf2b5b5867e75affa3ce8f3dcb76c6261
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 990ea63f21fdc287aedc262e9bf2d0092fcb8e65c13ac4861f2218e1e358c742
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE51D974E002089BEB55EFE4C860BDEBB72EF88310F104069D617B77A0DE356D46AB61
                                                                                                                                                                                                                                          Function 06CB34A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18849bf104b7622c97f8b4ae3cd41da4e730f84d7b2ffcaa36975fdf2ff8d3ef
                                                                                                                                                                                                                                          • Instruction ID: fa55ad0c38f4835e6c9ec47fc773972acb62a78dffac3e9947b0e30f5da1c103
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18849bf104b7622c97f8b4ae3cd41da4e730f84d7b2ffcaa36975fdf2ff8d3ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 895171387102055FD755EB29D99056DBBA3FFC4604B108628E8068F759DF70BD0ACBD1
                                                                                                                                                                                                                                          Function 06CBB4F7 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a3fded00669094633aa2c0bd7854ebfa9b8205a04d75548e2a74246a44662cd0
                                                                                                                                                                                                                                          • Instruction ID: ee8655f824a3c524b9fb1e795ed58aebc76a3971c1485dcb347f1fd7a2c18ed2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3fded00669094633aa2c0bd7854ebfa9b8205a04d75548e2a74246a44662cd0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0417C35A0A3D19FE7139B349C656D63F719F43214B0A40D7E881CF2A3DA249D4EC7A6
                                                                                                                                                                                                                                          Function 06CB34B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03b712af63e8b204f81c7b629a1babb2b6bc50fd5b001ea34ff0bf89363a6022
                                                                                                                                                                                                                                          • Instruction ID: 8a048458a3b1b8e09f213440fbac1d7f0ccdfa0a81882c0b9495041d7acfb545
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03b712af63e8b204f81c7b629a1babb2b6bc50fd5b001ea34ff0bf89363a6022
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5516038B102165FD755EB29D99096DBBA3EFC4604B008628E8069F758DF70BD0ACBD1
                                                                                                                                                                                                                                          Function 06CB5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0152676d6ca340b755a9248be6dc9aa052b22f967c7aca897025fd60afa8bd6b
                                                                                                                                                                                                                                          • Instruction ID: fe4aab3eda4370a1bcad0d825be3b7530255908c559b765ac608226c8c3cdaba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0152676d6ca340b755a9248be6dc9aa052b22f967c7aca897025fd60afa8bd6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E51AA78E0021A9FDB55EFE4E8546AEBBB2FFC8201F104419E916A73A0CF312D45DB61
                                                                                                                                                                                                                                          Function 06CBE1E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3090e9748efedf76953105c60b95359462b7f8b0c1a5f7c56900eff3820b1861
                                                                                                                                                                                                                                          • Instruction ID: f84ca1205be994ddf1818ca81311832310adfff8a075ca89e61bf7283eff2fbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3090e9748efedf76953105c60b95359462b7f8b0c1a5f7c56900eff3820b1861
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8415C35E012599FCB14DFA9D8849DEBBB2FF89340F148129E801AB364DB70ED46CB90
                                                                                                                                                                                                                                          Function 06CBC9A8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fdcfc444db8e0cece7140b2e991b2378c68895cde87f2176943779e534d3798c
                                                                                                                                                                                                                                          • Instruction ID: 3f79beaaad412ac60548d171be4082765c028a6e6d04b2de9786e08d14fd743d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdcfc444db8e0cece7140b2e991b2378c68895cde87f2176943779e534d3798c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97319A9281F3E02FEB23AB3898715DA3F708D53555B1A05C7D0D1CE0A3D5088A4EC3AB
                                                                                                                                                                                                                                          Function 06CBF69B Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40abf417da45450c44ad67d6b6a3696cbb7fa9421d71f3af016b01014a7a082e
                                                                                                                                                                                                                                          • Instruction ID: 81054dfcd53b1e2dc67908238f7bc07e770bc30638ae6740773e61ba754caadf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40abf417da45450c44ad67d6b6a3696cbb7fa9421d71f3af016b01014a7a082e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9941F534B002258FCB24DF38D888A6EBBF6AFC9201B04446DE546CB365DA70ED09CB91
                                                                                                                                                                                                                                          Function 06CB2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ebad16ef99fc8ad537477d3fe461f0d17c9270ffc0856a13fbbe157edd7c4504
                                                                                                                                                                                                                                          • Instruction ID: 6a64ee7184d7247eadbb68c80c36bf96efb3057b85a44b18d74893b26b298cc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebad16ef99fc8ad537477d3fe461f0d17c9270ffc0856a13fbbe157edd7c4504
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B041F939B101149FCB54DF69D88099EBBB6FF88310B148169E915EB365DB31ED41CB90
                                                                                                                                                                                                                                          Function 06CBF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99d0160a01a37cfd3c64ef93eff64585fbbdfd57ce70d4fd95c4a1b8c2eae15d
                                                                                                                                                                                                                                          • Instruction ID: 6a81f784e76328dbe8eb07fb753874091faf0ea286a08fb3e8e58cf2f2d71c1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99d0160a01a37cfd3c64ef93eff64585fbbdfd57ce70d4fd95c4a1b8c2eae15d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4341B534B002658FCB64DF29D888A6EBBF7AF89201F04445DE546CB365DB70ED05CB51
                                                                                                                                                                                                                                          Function 06CBB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c74ff518fca3de7cb4292bc2538dbe806acba3bba343cbfd19a401a160868c5
                                                                                                                                                                                                                                          • Instruction ID: 0281d80f730a02d43d26dc4e8c72bd6251e33f39885699979177bd5d1cf37e4b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c74ff518fca3de7cb4292bc2538dbe806acba3bba343cbfd19a401a160868c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC319E75F001058FDB50CF69E980AAEF7AAEF84214F18C16AE919C7751DB70ED02CBA0
                                                                                                                                                                                                                                          Function 06CB310C Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 307f510336991f90b094da9fd03bb14d4acf3d2a795f402e8e546b83946a1f4b
                                                                                                                                                                                                                                          • Instruction ID: 473a7949507dd7c8f234edac2a64b68c6c779f103f539e5b31af2029aa6779bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 307f510336991f90b094da9fd03bb14d4acf3d2a795f402e8e546b83946a1f4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A214632E963A83FDB8226A52C103FA7F5CDF82220F146067ED4CDA251CD29CD45E391
                                                                                                                                                                                                                                          Function 06CBC558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0d8b9c0c1a03b342b782ba6b39bffbce4c42bc351a28cf49fd512d9203553b2
                                                                                                                                                                                                                                          • Instruction ID: 0653d7de05cddc7aa97d281862885354f3e1e3415092535fc75532e8ba0713b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0d8b9c0c1a03b342b782ba6b39bffbce4c42bc351a28cf49fd512d9203553b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB31BC396007018FC325DF35D894966BBF2FF89300B089AA9D44A8B766CA30FC46CB90
                                                                                                                                                                                                                                          Function 06CBB598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 276d0beb51d692dabe36272716d78c55e5695c036b8c8257559609a4aeca74da
                                                                                                                                                                                                                                          • Instruction ID: a392f29e8ea779e220465666b62c823629cc560212f0bab67fcc6e2a88825263
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 276d0beb51d692dabe36272716d78c55e5695c036b8c8257559609a4aeca74da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69219238B00219CFEB549B75E8456AA7BA6FB84755F108079ED06C7340EF70AD46CB91
                                                                                                                                                                                                                                          Function 045DD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1392376779.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_45dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41063a3908903ec380b2bde7bcb2748cb859a8e15f40a5cd8fe8018927417bd4
                                                                                                                                                                                                                                          • Instruction ID: b70bd647913a818f8ee9bb76adb597571127c2e5aaab85820b290f3982f4761b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41063a3908903ec380b2bde7bcb2748cb859a8e15f40a5cd8fe8018927417bd4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF210375604240DFDB25DF18E9C0B26BF75FF84324F2085A9D8090B246C336E45AEBA2
                                                                                                                                                                                                                                          Function 06CBB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91f84a4fb1acebc999a1e43a0a44a30c5ea7a1aaea80eef456de5e5f56f7bcad
                                                                                                                                                                                                                                          • Instruction ID: b6fd7a2538cd443e3d917a4010835108a1c476372e6ee450d25433fdfa0655ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91f84a4fb1acebc999a1e43a0a44a30c5ea7a1aaea80eef456de5e5f56f7bcad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13116371F152104F97A4DA6ED890A6BF3E6DFD8161B14903EE94AC7744DE71EC01C390
                                                                                                                                                                                                                                          Function 06CB1079 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d64ee3bd8bea0f9908866b6543753f9423e16e778ebaadac49e35b192eb5f0b8
                                                                                                                                                                                                                                          • Instruction ID: 1998f1750d6aea1ba6fbf59baffd7e309b2cca5ef4240ee0391faff84ff63e91
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d64ee3bd8bea0f9908866b6543753f9423e16e778ebaadac49e35b192eb5f0b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F11EC32F102189BEB548AB698547FEBBEADBC8154F08813AD906D7740DE74CE0687D1
                                                                                                                                                                                                                                          Function 06CB4551 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b32c8889453406c84bfa04b4f532dd9fa952ef27f2e52612a22cb3fb4ba063b9
                                                                                                                                                                                                                                          • Instruction ID: 3a83131c09bf5b19eae219995662ea7353023a3e32af4f9463e2563fab638fd8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b32c8889453406c84bfa04b4f532dd9fa952ef27f2e52612a22cb3fb4ba063b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A113631B047024FD769AB7DE84086E7BE6EFC5250305852EE50ACF316DF20ED0A8796
                                                                                                                                                                                                                                          Function 06CB30FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6180c5809f3f323e5a65ff13839e73633b56e182dd311abda2d8c5593861c0a
                                                                                                                                                                                                                                          • Instruction ID: ed7cdb3c5b15d13e68ceecec77476fd29e1f1425bada496a7520524eb3ec0ab6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6180c5809f3f323e5a65ff13839e73633b56e182dd311abda2d8c5593861c0a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61112920F183981BFBA8227518203FE2F8D8F86614F0554BFC94ADB382DD98DD0563D6
                                                                                                                                                                                                                                          Function 06CBA219 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eddde752fa00839c37283120eec942896e1ed8701940ae453757f228e4f61bf0
                                                                                                                                                                                                                                          • Instruction ID: 72894ca39ec9fb15851cb510a41968b36e8d089577243f496dbf5990f43515e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eddde752fa00839c37283120eec942896e1ed8701940ae453757f228e4f61bf0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA112C34E042099FDB54CF96C984BDEBBF5EF88710F219169E845AB350CA71ED46CBA0
                                                                                                                                                                                                                                          Function 06CB2261 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 695cebc30e89536dd0b9186faee5a01e7eb2178ad9afcf5558aa638eea72b146
                                                                                                                                                                                                                                          • Instruction ID: 7f83ec8b9a2cb09b7833e21ee3ddd17ea8bf36b3e203761422ce74bd627bbbe5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 695cebc30e89536dd0b9186faee5a01e7eb2178ad9afcf5558aa638eea72b146
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1611EA75E101189FCB94DF69D88499EBBB6EF8C710F108129E915E7325DB31A941CBA0
                                                                                                                                                                                                                                          Function 06CB3A35 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47e20a6616ae890e0b0c9bfd68758b4a893592f44fb02d8d633140f85eec0401
                                                                                                                                                                                                                                          • Instruction ID: 0b77a36aa33854c70b0e539929dfc2214e9ec54371100d0c99c3d16114a6c0fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47e20a6616ae890e0b0c9bfd68758b4a893592f44fb02d8d633140f85eec0401
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED118734A00109AFDB44DFA5C860ADE7BF6EF8C314F149428E419A7781DF75AC45CBA0
                                                                                                                                                                                                                                          Function 06CB3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cde41a429a2c437ccc8b96e53940daad5734506986e3a2510377d06f7092c503
                                                                                                                                                                                                                                          • Instruction ID: 49bc6faedb25f164b80a6e9cb4f019fd3157d461a838574753aa1830d81fe664
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cde41a429a2c437ccc8b96e53940daad5734506986e3a2510377d06f7092c503
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1118734A00109AFDB44DFA5C860ADE7BF6EF8C314F148424E419A7780DF75AC45CBA0
                                                                                                                                                                                                                                          Function 06CB28F8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1840898d7be2409c432283a5e1adb5d9144d6fcfc420f71593bf53d47a3f209c
                                                                                                                                                                                                                                          • Instruction ID: 3d1388166de78efc7d4473f598fd8825c6d5f9e715888b0688d12fb335198380
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1840898d7be2409c432283a5e1adb5d9144d6fcfc420f71593bf53d47a3f209c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3711A25691E3E02FE313AB386C702D63FB09E93105B0B41D3D0D1CE0A3D509990EC3AA
                                                                                                                                                                                                                                          Function 06CB1378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2a31705855264bc16b92c506252ffb0f65cc668504e3916c57f1cfbb7dbcacb1
                                                                                                                                                                                                                                          • Instruction ID: 39a6d827248c9ed9802322560a34cc2f5d255c2e4e783b24c597f65dbc132688
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a31705855264bc16b92c506252ffb0f65cc668504e3916c57f1cfbb7dbcacb1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3210470D002498FDB24DFAAC885BEEFBB0FF48214F54852DD819A7640C7755906CFA1
                                                                                                                                                                                                                                          Function 06CBAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 02b4027b64ab443ac19818000b11278f9251363b89e4746a186aefdaeba19694
                                                                                                                                                                                                                                          • Instruction ID: 10f9b53ecda486fb0ab5b92e9d59388c2f099228a37525f45434444abed4f56a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02b4027b64ab443ac19818000b11278f9251363b89e4746a186aefdaeba19694
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F21D374E0020DDFDB54EFA8D490AAEBBF2FF88210F504599E955AB354DB30AA41CB91
                                                                                                                                                                                                                                          Function 045DD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1392376779.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_45dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                          • Instruction ID: 39f6223c937dc26b098793a88122d5e6701e4c72900e51e46792dab630b41046
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb6f562682ecfd4bb4bbbdc0362a4aa3d6694763a3d687d4c16d70a054081591
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C11AF76504280DFCB16CF14D9C4B16BF72FB84324F2486A9D8494B656C336E45ADBA2
                                                                                                                                                                                                                                          Function 06CB1961 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 84a2b8f5516aad2925ddcbe51203a9dc2f55f50993bffbf51dc0f1738ccf041a
                                                                                                                                                                                                                                          • Instruction ID: 4eff63b7820452bda5c3523a56dbda3867aa18d3f083543deb3cfc05da1edf42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84a2b8f5516aad2925ddcbe51203a9dc2f55f50993bffbf51dc0f1738ccf041a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19119334600118AFDB04CFA5D454AE97BB2EFCD314F148519E81A9B341CF785C45CBE0
                                                                                                                                                                                                                                          Function 06CB46C8 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b3390642b98c3b241e39b608d4a168f639923b37bda9e54928d24f2594333e20
                                                                                                                                                                                                                                          • Instruction ID: 4db8e36b52a22195b2b54f29cb212ace828452eb029ce07ff93a44c90d1d1e16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3390642b98c3b241e39b608d4a168f639923b37bda9e54928d24f2594333e20
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8018470D4A3486FC755DFA4E8005DDBBB89A45201B0141E6E848DB312D6365A05CBDA
                                                                                                                                                                                                                                          Function 06CB1440 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb66706828eb0cc7fa560abdc86ec5a50140cffe5c68b1e9f77eae9086a5e28c
                                                                                                                                                                                                                                          • Instruction ID: a5061ab38a4733b609e1e1be9a943aeab4175d93e7899d539de4f9e8d157d7d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb66706828eb0cc7fa560abdc86ec5a50140cffe5c68b1e9f77eae9086a5e28c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC012830E1934C2FD7499BB968316A63FD9DEC620970D0DAEE949CF192E914DE08C7E1
                                                                                                                                                                                                                                          Function 06CB1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce122df69dbb8711d489c5e0564e3d965f7bac625fa811b4aabfe474f32738d3
                                                                                                                                                                                                                                          • Instruction ID: 8f6a3ac1a1cb55a04f29af1a1a38047f0e281370a8db93fde8fa9636faa02965
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce122df69dbb8711d489c5e0564e3d965f7bac625fa811b4aabfe474f32738d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C411E3B4D002098FDB20DFAAC881BDEFBF4FB48214F548529D91967640CB756905CFA5
                                                                                                                                                                                                                                          Function 06CB1829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70248af7070ad02cfe7daf376a97d15887366290efc4e3cd0ecd466f4fd85ffb
                                                                                                                                                                                                                                          • Instruction ID: eae82450fda6033ef89486996011a38e0c8ae6d951f0f1883c8343492a927715
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70248af7070ad02cfe7daf376a97d15887366290efc4e3cd0ecd466f4fd85ffb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9501A271F0010467FB98AA6998657FF7AABABC8200F15502EE101F3780CEB65D0187F1
                                                                                                                                                                                                                                          Function 06CB1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa2b70b2c59ade22919081cd00ae49e80ad4bfd94b67394c732311a976fb5843
                                                                                                                                                                                                                                          • Instruction ID: 55ac90c7b4eebd29c5a04f643553b608651bc233910be43455e8a526dc6a7555
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa2b70b2c59ade22919081cd00ae49e80ad4bfd94b67394c732311a976fb5843
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0119435A00218AFDB04DFA6D454AE97BB6EFCD314F148519E809AB340CF796C45CBE0
                                                                                                                                                                                                                                          Function 06CBB070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 94a91cb5f9057921ff2c116afc9386e92bed29a70a7f057e2de78edfce9dddf1
                                                                                                                                                                                                                                          • Instruction ID: bb4994cee29cd40330eeec42ba63fa14affdf1f289d04edc597d3460de27835d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94a91cb5f9057921ff2c116afc9386e92bed29a70a7f057e2de78edfce9dddf1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8012675B042018FCB148A669840A6AFBAAEFC5200B08C279E919C7345DF30EC06C7A1
                                                                                                                                                                                                                                          Function 06CBB920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32b1e1a5403ef7545df7ded84b7c85df992f66bf5dc0088bfe871317d923d9ab
                                                                                                                                                                                                                                          • Instruction ID: e37c1f3556b659db965758421ec6c7fa1b803f46d80bc31586913d9a53fb8707
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32b1e1a5403ef7545df7ded84b7c85df992f66bf5dc0088bfe871317d923d9ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E01A271B053404FE7A4CA2998A0A7ABBE9DFD9261B15407EA84EC7741DE21DC02C760
                                                                                                                                                                                                                                          Function 045DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1392376779.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_45dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ee86bf20c19cfffa4b62a43e0b26a15dbb96cd87f44fbe371a7784d430e3697
                                                                                                                                                                                                                                          • Instruction ID: 6bb7086c4d3eb1a2bb2b21f690bb554a524a1d225bc64562a33db7f3639105aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ee86bf20c19cfffa4b62a43e0b26a15dbb96cd87f44fbe371a7784d430e3697
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501406140D3C09FD7228B259D94752BFB4EF83224F1985DBE8888F193D2696C49DB72
                                                                                                                                                                                                                                          Function 06CB56C2 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56cf99d400dbb69bcc6b9d36fe5d6b9b9004546b6d396306d462d4922b4041e7
                                                                                                                                                                                                                                          • Instruction ID: d860bfcc0fc7c7f61c359bcc50f7522670a44dd3dcc5a33d98f18147fbb4fd40
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56cf99d400dbb69bcc6b9d36fe5d6b9b9004546b6d396306d462d4922b4041e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 610142306043816FD721A7B4A84466EBFD6EFC2204300445DE40B8B341CFA1AC0E87B2
                                                                                                                                                                                                                                          Function 06CB67E2 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb87591601d9315cb5271735bfafe9cffa6e903b9a1143fe757aeb4d165cb276
                                                                                                                                                                                                                                          • Instruction ID: 8ff556818ec8c1f416fdbd776b56733dfc5acad9c492e2b76795db93aaf2d267
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb87591601d9315cb5271735bfafe9cffa6e903b9a1143fe757aeb4d165cb276
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB017174E00308AFCB84EFB9D85159D7FF5EF85200B1085A9D405EB351DA316F09DB92
                                                                                                                                                                                                                                          Function 06CBCB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3ed5c805b66dbf7ca6078a2a7844d973b185fe389c1cd4984027133ad02fe392
                                                                                                                                                                                                                                          • Instruction ID: 40212517d2f510b22808b29525a2ec9c0493a651c4919a34e0788aa96e27a342
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ed5c805b66dbf7ca6078a2a7844d973b185fe389c1cd4984027133ad02fe392
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0F090367081254F97448A6DAC88A6FB7EAFBC4961714057EE509C3350DF61CC01C7A0
                                                                                                                                                                                                                                          Function 045DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000002.1392376779.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_45dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 19b53d84bda06a3072aba181b7dad5ffa9d76202e763a4cbd238313f1384822c
                                                                                                                                                                                                                                          • Instruction ID: 0053ddb03a0022d37718ff5a3455f28919f8891265528f7aeba516a9557f93a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19b53d84bda06a3072aba181b7dad5ffa9d76202e763a4cbd238313f1384822c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B01FC305043009BE7304E19ECC4B66BFA8EF81325F08C51ADC480B182E375A849DAB2
                                                                                                                                                                                                                                          Function 06CB6038 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e06472ab27b8029c1bb95b9cd05d569ca7352a5fa6fd283cdd8c3cc3096e734e
                                                                                                                                                                                                                                          • Instruction ID: a55145b7aa010cc6ba7b14079709d2f1d22e163938238632b7101ddb2eb5f901
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e06472ab27b8029c1bb95b9cd05d569ca7352a5fa6fd283cdd8c3cc3096e734e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E0149365047A08FC7319B95F8045DABBF0FF82719B10486ED18787622DBF1B949C796
                                                                                                                                                                                                                                          Function 06CBCB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5a9ac5561a5ae7b7bdda0f9da58e11b085d639f285f66208860139ad57f5c45
                                                                                                                                                                                                                                          • Instruction ID: a23d15ae72e53fd350fa6cd8804c9bfd6ded10ae5fae10dbda5f5d0131574d7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5a9ac5561a5ae7b7bdda0f9da58e11b085d639f285f66208860139ad57f5c45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55F024727082510FC7944F2DAC54A6BBBFAEFC556070501AEE009CB362CA31CC05C3A0
                                                                                                                                                                                                                                          Function 06CB6769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0120cd831ddd495f036c3a539eecf761daff97eb5440e7dbb1ff2ea1f83ad6bb
                                                                                                                                                                                                                                          • Instruction ID: e81ad263a9d3caf2c2308e28879b16df5b629fca4f47429faace44a2bdcd5974
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0120cd831ddd495f036c3a539eecf761daff97eb5440e7dbb1ff2ea1f83ad6bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69018F35A016008FCB50CF6AC6905ADF7A2FB88321B64967DC416A7344CB31DD45CBC0
                                                                                                                                                                                                                                          Function 06CB576F Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c805738947d18c1dbb8de0666d813aba89b0db7f5e55fc82976945d967e4301
                                                                                                                                                                                                                                          • Instruction ID: e6bc667450e5222acaa6166130b0b3fa239c9ecf9cee554e6364431207f36574
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c805738947d18c1dbb8de0666d813aba89b0db7f5e55fc82976945d967e4301
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF0C9367057004FD771AAB8A800AED2B86DFC0132B0485ABE10ADF100CAA16C0A03A1
                                                                                                                                                                                                                                          Function 06CBE3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bdf81adce243b26244855cec5c6eafe756ddb1d634fc66454090f6d7c93bf28a
                                                                                                                                                                                                                                          • Instruction ID: df88c1d388e2ba3bea355c1a2e11bfbadba5eb503b976d1e4abb5a544b1f22ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bdf81adce243b26244855cec5c6eafe756ddb1d634fc66454090f6d7c93bf28a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2401D679B206114FD711965898407FE77A3FBC8650F14815AD9029B344DF707D06CBD1
                                                                                                                                                                                                                                          Function 06CBE36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb709393072ea09db431e66d863d830693f5c1f4ec32da81896a1faf90311fa8
                                                                                                                                                                                                                                          • Instruction ID: 63961c023270180a66923f322085b5d9089beda5a019d891ed261c0122c61d95
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb709393072ea09db431e66d863d830693f5c1f4ec32da81896a1faf90311fa8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0A43AB206214BD711965898507BD7763FBC8650F148559DA069B344DF70BD07C7D1
                                                                                                                                                                                                                                          Function 06CB0E6C Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6acdc50764a0f2092561c7e5a343905b1bfc4bcad5bdea9c0187237e08a74ea8
                                                                                                                                                                                                                                          • Instruction ID: 0e90e6e66e85d592e19241cb615c001eba3c9c8a9bc8577d00b2af34d7efb225
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6acdc50764a0f2092561c7e5a343905b1bfc4bcad5bdea9c0187237e08a74ea8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F02B34F483841FF79552721C303B62FA69BC1214F08A46AE946CB7C2CC285C0443A1
                                                                                                                                                                                                                                          Function 06CBAF00 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 60ab8a2cb32cd54245c8abb6c7e948d24cbf01c15498b04c0f4e2e6f28a6efa1
                                                                                                                                                                                                                                          • Instruction ID: a44b69bdccf99adf1fc9213a54bb5eb4c0ab9ced51aa26d1f5e5ef3cf2d9fda5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60ab8a2cb32cd54245c8abb6c7e948d24cbf01c15498b04c0f4e2e6f28a6efa1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0F0E9717053552F976546AA7C40997BBDEDEC9160305816AF54DC7312DD70DC0583B1
                                                                                                                                                                                                                                          Function 06CB68D1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fb310dce8d273dd14351908aa2efcc892fa482b6a26089d288192e8840b4ab09
                                                                                                                                                                                                                                          • Instruction ID: 99a99bfefa5db40d85f5a746333ec05df468150d549802b050349af024a4ee67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb310dce8d273dd14351908aa2efcc892fa482b6a26089d288192e8840b4ab09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FF0BB76A042046FC716CF59D840C99BFFAEF8A61070680A7E548CB212D731DD05CBA0
                                                                                                                                                                                                                                          Function 06CB56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fb3842e632c34ab978b56676ef2d64895c5f2642a4f6a1cd2422043e5d0ee3db
                                                                                                                                                                                                                                          • Instruction ID: 7b45e52098e7bf35385421fdfa092c37ef0924b5944b840a37b53671f2a4aba4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb3842e632c34ab978b56676ef2d64895c5f2642a4f6a1cd2422043e5d0ee3db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0CD30700346ABE764BBA9E44466EBBD6EFC5254740492CE50B8B750DFB1BC0E87E2
                                                                                                                                                                                                                                          Function 06CB46A0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aaf8fa0282dca575d2b9adc6fd1103f84549fa4905ab16d9e11c9bc7518bb412
                                                                                                                                                                                                                                          • Instruction ID: 148de2dd2ca6e23f88a814b264f44c6fbd4d10136adfd3e853402349afd664a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaf8fa0282dca575d2b9adc6fd1103f84549fa4905ab16d9e11c9bc7518bb412
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6F02730F0A3446FCA445BB578005DA77AECB82611B0241D7F905CB202CA25494283B1
                                                                                                                                                                                                                                          Function 06CBA369 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c233713704bff084d4cc7b389d87d7de92fbd2b18f39e7a170deb46390fd9f0e
                                                                                                                                                                                                                                          • Instruction ID: 04e193bce4a608f99889fea8e5030d8cbea9a7adb5c61dd58f9d7ec721b7c3ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c233713704bff084d4cc7b389d87d7de92fbd2b18f39e7a170deb46390fd9f0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADF059367093105FD70A0775881422D7F629F85220B2881ADC8558F3D2EE27DC43C7A6
                                                                                                                                                                                                                                          Function 06CB67F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83db26d04c3c1c363170fb657c2f912cc482ee35bcd0129bb03b7982d382c053
                                                                                                                                                                                                                                          • Instruction ID: ea890fe80601f830af0fb680c4079f31de40a32361327cfbd9396fc7ad0621a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83db26d04c3c1c363170fb657c2f912cc482ee35bcd0129bb03b7982d382c053
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20016D74E00209EFCB84EFA9D45059DBBF5EF89200F1085A9D809EB345DA307E09DF81
                                                                                                                                                                                                                                          Function 06CBC4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ab824e126f80d1b3104efde48d2596b72eabb14cebde884d66b3f030b5e17c6
                                                                                                                                                                                                                                          • Instruction ID: 1bd56d065c801a0c63d03d784fcf233efab0471a57d2d74ba14690f6798ade00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ab824e126f80d1b3104efde48d2596b72eabb14cebde884d66b3f030b5e17c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AF097327083405FE3324A2688006EA7BA58FC2280F0602AEC4468F905E960EE0DD3E6
                                                                                                                                                                                                                                          Function 06CB57A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 82957773db259d6560c2467938d2ff347a702807daf788a5db8fae33d9f54eda
                                                                                                                                                                                                                                          • Instruction ID: e7d55d82ec7b486349bc9b93c599f3d32e4db343f5fb264393c089101031382e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82957773db259d6560c2467938d2ff347a702807daf788a5db8fae33d9f54eda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6F0E2357053444FD765DB78D850A5A3BE9EFCA25030985AAE446CF262EA22EC06D3A1
                                                                                                                                                                                                                                          Function 06CB1439 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: deb051bd5947cf94ee7681b338ba2eedae2c89d9e3e44d336cd94d00af7ef0bb
                                                                                                                                                                                                                                          • Instruction ID: da5fe4a9da62c3d6a94ad118942d52499974c25b942b90d5bcd4b7dae54ec3ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: deb051bd5947cf94ee7681b338ba2eedae2c89d9e3e44d336cd94d00af7ef0bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0BB70E1020C6FD748AAFA647169A3BCAEBC535D7091D2CA906CF141F924DA04CAE1
                                                                                                                                                                                                                                          Function 06CB45B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6af496af1994d0c27d5e7f2e72566c84f46c40ea1156b1a7bfbd7451aae853d2
                                                                                                                                                                                                                                          • Instruction ID: 754a96f6fb75c33c914bbc53679c648608f85d0b5f024954133d31fadac153f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af496af1994d0c27d5e7f2e72566c84f46c40ea1156b1a7bfbd7451aae853d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0E9357083414FDB258B3DE8509AD3FE29FC92003154569E545CF325DB20EC07D791
                                                                                                                                                                                                                                          Function 06CBC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed30b65ab3a0eb8e5f2cfa226556b7cf8cded61c8ecebc2ae05d882b91b095fc
                                                                                                                                                                                                                                          • Instruction ID: b7d3c038927a8bd0fef213dec0fd8370cfbe1a1658a19e9ced3c8bc3d6fb0b98
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed30b65ab3a0eb8e5f2cfa226556b7cf8cded61c8ecebc2ae05d882b91b095fc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F0A036B103114FD754D67598009B6B39AAF891A470891B9EA08C7310EEB1DC43C780
                                                                                                                                                                                                                                          Function 06CBAB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f60b250af1807370fd7bdb8fe44b65ad57178a9cacb3c727b1833fb387925a88
                                                                                                                                                                                                                                          • Instruction ID: ce6695f11309395f5028e6b926b063d886f72640f410ea1156effabe9965f9ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f60b250af1807370fd7bdb8fe44b65ad57178a9cacb3c727b1833fb387925a88
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF0E5313053544FD7555A7AB8888A6BBAAEB8A621B2541FAF54AC7362CE24CC098760
                                                                                                                                                                                                                                          Function 06CB38B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8366a1fd9129abc1cedaef2dd29f061ce16c893689c28fb632ecb7a841f17bac
                                                                                                                                                                                                                                          • Instruction ID: 4d3cdc904291e2351f4634da20897e55127393990055bc6ee47171799e20abf0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8366a1fd9129abc1cedaef2dd29f061ce16c893689c28fb632ecb7a841f17bac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F0EC10F283DC06EFD5116418003EA1EDC8B42714F1610BFC896C6346D9DDCD4163D1
                                                                                                                                                                                                                                          Function 06CB36A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 96b3c7e69744f4ec5b3763d43349317b51d5eef8027965a6b5361ed0fc067aac
                                                                                                                                                                                                                                          • Instruction ID: 4d835ba3108838c29c48bf3e9626172ca81d1633f05c5454f16fe68c378603c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96b3c7e69744f4ec5b3763d43349317b51d5eef8027965a6b5361ed0fc067aac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF030B1E11159AF8BC4EEA999011FEBBF8EA09144F10556AD51EE7200F23087018FD0
                                                                                                                                                                                                                                          Function 06CB4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ba052a77faae4c7cdd4b0338d375d08ef66fc325796277d9f6fb5aafa34db1b
                                                                                                                                                                                                                                          • Instruction ID: 6321c7b5f1787af491fb8d29e2636c6c4d8dd63b77a32b068d3346bc350c5b7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ba052a77faae4c7cdd4b0338d375d08ef66fc325796277d9f6fb5aafa34db1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16E09231700A051BC269B6ADA84055EBADAEEC5265740843DE60ECB304DF20BE0A47EA
                                                                                                                                                                                                                                          Function 06CB3CFF Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e15ff451b5c87c2dabde6313157d0fa2e529acedbc9d3fba5c34c99c8fba3c2c
                                                                                                                                                                                                                                          • Instruction ID: 3a649fa6115a93b7310c1c4b818a5832c2a8db2e3464ca851f47df372cc4b93a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e15ff451b5c87c2dabde6313157d0fa2e529acedbc9d3fba5c34c99c8fba3c2c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FF0E570D0A259AFCB61DFB4A8114AD7BB9DB86301B1041DBE80ADB362D9326F05D793
                                                                                                                                                                                                                                          Function 06CB29A3 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3438ee7e9c6d8311ac9dd1a164cbf27772c004fb46d88160678068d44a5eeb9b
                                                                                                                                                                                                                                          • Instruction ID: a7733908fe66220d551da617a2b3d8c7accbad30ef0d4aea6830ab08842ba0ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3438ee7e9c6d8311ac9dd1a164cbf27772c004fb46d88160678068d44a5eeb9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1E0E5349193505BE3229724AC517E63FA1DF82104F068257F941DF192CA55AE0A87F2
                                                                                                                                                                                                                                          Function 06CB5752 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a9985a3856e9d3113572e463588e501ac471b2d98885e289f3936c15c06336f3
                                                                                                                                                                                                                                          • Instruction ID: 346973fc3996756f0f57c2e94c75bc6473a5235da4e292cb5160a69adf775a1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9985a3856e9d3113572e463588e501ac471b2d98885e289f3936c15c06336f3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30E02633A093444FE7912FE4B8401AA7FD4E989025780817AD20ECF212C9265C0A83B2
                                                                                                                                                                                                                                          Function 06CBC1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91acf19f95829b15902d1f6b1ea95dae907d6382d8d39287b0deadbfacf46856
                                                                                                                                                                                                                                          • Instruction ID: 04877c09ed7692aeeeca4567659d5b4e68fba0d4b430b1ed3d5bd72afff3169b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91acf19f95829b15902d1f6b1ea95dae907d6382d8d39287b0deadbfacf46856
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EE022322043401BC7596A64A81406E3BE6FFC2354B15052AE883CB341CE652C0687A6
                                                                                                                                                                                                                                          Function 06CB3CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f619416f682efd7d05ac80b0d509c86ee3f000ed50cffd514089fd2d8f89a28
                                                                                                                                                                                                                                          • Instruction ID: 4d82b40671238a5c3527c915f02e1ef4c7b3833eae8c0a17f958d5d8a1066c2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f619416f682efd7d05ac80b0d509c86ee3f000ed50cffd514089fd2d8f89a28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14E020277892900F8B4619ED3C240BD7F5ACFC3561705017FE645C7351CE415D0643A3
                                                                                                                                                                                                                                          Function 06CB6AAF Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 906ee6d8e53700574a6a111ae6778de8b950bf9c1632add77cf93d50025f5cec
                                                                                                                                                                                                                                          • Instruction ID: af76f91031e032481a56cf45e976f8ac28a3877d9716952a998f5e8e71315681
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 906ee6d8e53700574a6a111ae6778de8b950bf9c1632add77cf93d50025f5cec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF06DB56042549FC315CF58D880C91BBE9EF5A20075682AAE849CF362D722ED06CBA1
                                                                                                                                                                                                                                          Function 06CBC678 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c516063325c7632a27c4955a309b5d94e0b70573debcac57a282b9c127b8499f
                                                                                                                                                                                                                                          • Instruction ID: 0b98ae25bdacb038e30dc697fa0994fc8e8b93c123545a0a54ee7530004e9d4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c516063325c7632a27c4955a309b5d94e0b70573debcac57a282b9c127b8499f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0E0DF3BA043025FD756567088206A7BB6A9F46590F1992A6DE008A281DA3AD843C791
                                                                                                                                                                                                                                          Function 06CB36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: f186a64fe41748790722baa878df76b56cd8922e2c7dd91db33f995084c4bbfb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19E01270E0026ADF8B80DFA999011EEBBF8AF48140F109569C51DE7340E3719A01CBD0
                                                                                                                                                                                                                                          Function 06CB3C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4a259b599bdebb86ff312a313cc9f5a654e22be73dbb29f55ada6b121fac421
                                                                                                                                                                                                                                          • Instruction ID: 56b5ea1267f534a28b6c6accdaf69db5c06cb0860d30d76e5d692fa4b984da17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4a259b599bdebb86ff312a313cc9f5a654e22be73dbb29f55ada6b121fac421
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEE0CD7574D2E44FDF4517F578200F43F11C9C214571515FBD54FC7652D31288068751
                                                                                                                                                                                                                                          Function 06CBCAC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 254d284b4fe56e08de69f02c94d67ba9d6840f3da0e09d2597abe1b603fb221b
                                                                                                                                                                                                                                          • Instruction ID: 92f0b2b2ced4d9e24254cf3c62b37ccb956fda9ecdb998953c32cac75351d637
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 254d284b4fe56e08de69f02c94d67ba9d6840f3da0e09d2597abe1b603fb221b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09E0175690E3E00FEF47AB7498B40D53F229D87256B2A40C7C0C28E0A3D808984ED7AB
                                                                                                                                                                                                                                          Function 06CB6898 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32b48de09441bb3e546f5f8e8f4c82d6330a2d8a6f18c5ef082260ecab6a2585
                                                                                                                                                                                                                                          • Instruction ID: c6b7e6bb1676aad0f6bc93d52688f0eafc33f07063f230bd6b37fb5a97bd55e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32b48de09441bb3e546f5f8e8f4c82d6330a2d8a6f18c5ef082260ecab6a2585
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADE046321062419F83658A28A800883BFA6EE8A35133B82A6E005CB216C6208843D790
                                                                                                                                                                                                                                          Function 06CBC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9486cff064471683a93d7bbf7d3a4e2eb31212c554a7384d3d6d2b8881b7b998
                                                                                                                                                                                                                                          • Instruction ID: c8e706abd3e964d048e85666ebb66f9ef3352c569d6e7f24c8490fa4afcc5e3b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9486cff064471683a93d7bbf7d3a4e2eb31212c554a7384d3d6d2b8881b7b998
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67E0C23520031557C2247B58E40456E7BDBFFC5765B00082DE94687700CE717C068BD9
                                                                                                                                                                                                                                          Function 06CB3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07705dfa1483cb1e983992d2195c6d52d3caa6e92ba558b09c7aa6483f193d6d
                                                                                                                                                                                                                                          • Instruction ID: 07a7334dcb9f7e113c9c2ba46f710d6f36a7f5095e84cd3184afc81b7bb9e69c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07705dfa1483cb1e983992d2195c6d52d3caa6e92ba558b09c7aa6483f193d6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24D05E3A340160130A54299E781447E769FCBC5961304013EEB0AC3340CE515C465395
                                                                                                                                                                                                                                          Function 06CB6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d1eaa55b288a17950513a5c8a5e714fd9dee480be7429a420eca94234b0210b5
                                                                                                                                                                                                                                          • Instruction ID: 3878caf5a6d72a7f7d6edec8960ddeb889750f8a8eef2f87bf410e1eb90e3190
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1eaa55b288a17950513a5c8a5e714fd9dee480be7429a420eca94234b0210b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48E0EC757042149FD314DF5DD880C91BBE9EF592543558199E949CF312D732ED12CBA0
                                                                                                                                                                                                                                          Function 06CB46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ff6d5d1c329c616a002581ead5afb018ce57a99116806a570cfacbc5b2198a13
                                                                                                                                                                                                                                          • Instruction ID: c078738f68de0d98b5e6cba2f44c16629abbce00232c2d75e565035f7e5dfc2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff6d5d1c329c616a002581ead5afb018ce57a99116806a570cfacbc5b2198a13
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE0B674E0430CAFCB54EFF8E44459DBBF5EB48301F0081AAE809E7350EA346A458F81
                                                                                                                                                                                                                                          Function 06CB3938 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2f8c53ca509b7df4de4f0b0f2089d916a0470eab69675c674a3fa2aff400dfc1
                                                                                                                                                                                                                                          • Instruction ID: 2e28b1aeb91ff051e3cf5734ddf6677c0b989fb202dfa98df3f33b6a1f15f5ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f8c53ca509b7df4de4f0b0f2089d916a0470eab69675c674a3fa2aff400dfc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FD09712F093A42BCB9421B828085FE3F4CCF02920F0204EBDA0DDB302C828CC0003D4
                                                                                                                                                                                                                                          Function 06CB0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3606d00a8dda277238b2f0f9bd8eef533cd3f4055f4b7fc48d6f7799a6b3dd21
                                                                                                                                                                                                                                          • Instruction ID: 78b8bc460c4c0d219e1b5f54dd474505b922ce785f0aa139a00b2afff2cb78e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3606d00a8dda277238b2f0f9bd8eef533cd3f4055f4b7fc48d6f7799a6b3dd21
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84D0A73631011C6F52446656D859DAA7BADE7882A17504433FD0183311CE616C0587D6
                                                                                                                                                                                                                                          Function 06CB2960 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fd5d3a8ef1274b96bd477a1d2a07b042e03d6c0ac42707ee6d5280f4f9115abf
                                                                                                                                                                                                                                          • Instruction ID: 9289923631e8d2c5f0e6f9eeed25c79d7895c69976295dfce8b17eee46858fa4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd5d3a8ef1274b96bd477a1d2a07b042e03d6c0ac42707ee6d5280f4f9115abf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01D01279955208DFCB00DFA0E94169D7FB5EF45205B208596DC0597214EE306E12CBC1
                                                                                                                                                                                                                                          Function 06CB3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c69959b9a788913fc6a3ae698a0f3df41bea885d8ead2a309647a533a643703d
                                                                                                                                                                                                                                          • Instruction ID: 0e364c6880c23efd5d36bf44f9505a93292f1ca0754f7c4924dd261bbe3af9a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c69959b9a788913fc6a3ae698a0f3df41bea885d8ead2a309647a533a643703d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41D05E34E0420DEFCB50EFB8E90155DBBF9EB84204B1041A9E809D7340EE313F049B91
                                                                                                                                                                                                                                          Function 06CBE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc3e00f9f8c60ee053c87b0170c02632ebc69084d528540f17106cfd6c947b9a
                                                                                                                                                                                                                                          • Instruction ID: 5612e718d7981a8538f9b5ba0495e10852e66bbe7dd4654a8d3dcec435c8d4ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc3e00f9f8c60ee053c87b0170c02632ebc69084d528540f17106cfd6c947b9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDE0C230A0421BCFDB548FE0C4647EE7731BF08785F204418D401AB204DF788A06CF80
                                                                                                                                                                                                                                          Function 06CB2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30ceb221651ee297b856ad11cdd7f37f389049eb5b55ab65cb1671fadf408a75
                                                                                                                                                                                                                                          • Instruction ID: 9e4ed03bc645b8eb6fe70a7aeef95057055971f068af39de3ad395136e767c19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30ceb221651ee297b856ad11cdd7f37f389049eb5b55ab65cb1671fadf408a75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88D017789052089FCB00DFA4E94199DBBB9EB45200B2086A6AC0497224EA306E01CB81
                                                                                                                                                                                                                                          Function 06CB3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 885fd964474a2ba7fe9141961fa60eed121c6b9774c03a15a7312837c3b6006e
                                                                                                                                                                                                                                          • Instruction ID: 622562d60012c804f6874fbf633407e5a14b24a23bcb51beb1dae8a27f1075e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 885fd964474a2ba7fe9141961fa60eed121c6b9774c03a15a7312837c3b6006e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D01234714208CFDB88EBE5E9555B57799DBC864470098ACAD0FC7341EF22FD02CA80
                                                                                                                                                                                                                                          Function 06CB46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c217c2766a7b2940092a0356dedbd8003a8d1897539361252b3745577a610d23
                                                                                                                                                                                                                                          • Instruction ID: 161f4562b90d8b05f106102c128d13b5a3cf6a76e172356495d6d5e787b7ec56
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c217c2766a7b2940092a0356dedbd8003a8d1897539361252b3745577a610d23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42B0927090530CAF8620DAA9980195AB7ACDA0A211B4001D9F90887320D972AA1157D2
                                                                                                                                                                                                                                          Function 06CB0449 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 554b61734d7e01212a37a4c31456f7fa489db8d75ca7d5f5c2980ac91ece140d
                                                                                                                                                                                                                                          • Instruction ID: 4fe0212c17bc62024f170db463deccaf6b525aae0a460d2e88accf8c1b08987a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 554b61734d7e01212a37a4c31456f7fa489db8d75ca7d5f5c2980ac91ece140d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43B02471F0554017D10540404C401F70704F3710053CCC05D40005C001F0144317D1D0

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 06CBF7E8 Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000006.00000003.1391108910.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_6_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$,q$,q$Hq$`]q$`]q
                                                                                                                                                                                                                                          • API String ID: 0-776724203
                                                                                                                                                                                                                                          • Opcode ID: 59201b8d53105affbb23a248565fc50aab764786afa6895eec7c56699b3f4556
                                                                                                                                                                                                                                          • Instruction ID: 16161ca92c737f43ec989aa4d2adf995c0f9687af5d8175dec32cbd3b9891c6b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59201b8d53105affbb23a248565fc50aab764786afa6895eec7c56699b3f4556
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA416831F042249FE7645B2AA8144AD37E6EFCB62172854AFD106DB360CE22EC01C3DA

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 074C50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 16a7afe7d2998d0b1348d2df729b81db03f44cae7646097757e115fb98100782
                                                                                                                                                                                                                                          • Instruction ID: 6f8f51219cf09e232800170bcdaacbca48028d3aa115d9c1548acf8d3575ccac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16a7afe7d2998d0b1348d2df729b81db03f44cae7646097757e115fb98100782
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64B12AB4E002098FDB54CFA9D8857DEFBF2AF48314F24852ED815A7394EB74A856CB41
                                                                                                                                                                                                                                          Function 074C59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 48707258ba35429ae9e33196bf8baa1e990ef112974033a50cd16f6f1999aad1
                                                                                                                                                                                                                                          • Instruction ID: e377019c2c08d119940554775b58ac269a7d6046e9ef66f3a1d08e4c952921c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48707258ba35429ae9e33196bf8baa1e990ef112974033a50cd16f6f1999aad1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FB14FB4E002098FDB54CFA9D8817EEFBF2AF88314F24852ED415A7354EB74A851CB91
                                                                                                                                                                                                                                          Function 074C1080 Relevance: 6.5, Strings: 5, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$_FloatParseHandling$aIdHandling$izedAttribute$tDefaultValue
                                                                                                                                                                                                                                          • API String ID: 0-2745725739
                                                                                                                                                                                                                                          • Opcode ID: 35e264962e427e606ec129efe5146518bf2fb14d514b2884a6ea8c93640a231a
                                                                                                                                                                                                                                          • Instruction ID: 131dbf04471f2ab007180e2d87ecafbe527f2e3c9f7de50cb047bb6fc2f56308
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35e264962e427e606ec129efe5146518bf2fb14d514b2884a6ea8c93640a231a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF71A679B10218CFDB54DBB5D8547AEB6A7AFC8200F14802EE506EB3A1DE359C438751
                                                                                                                                                                                                                                          Function 074C0C1C Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$izedAttribute$okenEqualityComparer$tyPermissionFlag
                                                                                                                                                                                                                                          • API String ID: 0-257119850
                                                                                                                                                                                                                                          • Opcode ID: 67b9566eb81886cf6d3cae6ca44a62c08661f9b103282af78a003007da3ef1ca
                                                                                                                                                                                                                                          • Instruction ID: a73cfb33c685d6d8e1eaa46060e5eeb64cc5e5d66e8232eae2ab4bd0ff1e0bb2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67b9566eb81886cf6d3cae6ca44a62c08661f9b103282af78a003007da3ef1ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6711E2B0B082098BE759A77999603EF7BB29BCA200F19456FD501E7392CE244C0683A2
                                                                                                                                                                                                                                          Function 074C0E6C Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: nishedValue$t_Container
                                                                                                                                                                                                                                          • API String ID: 0-2457292029
                                                                                                                                                                                                                                          • Opcode ID: c9a7daf4d175f022eea61e722d94c8d340c26c455a8869b05bf938ec6450d457
                                                                                                                                                                                                                                          • Instruction ID: 6dcabb9e404d7d52df11032b87bee3ee05b98657f5f6c8a0f02f60269e29042a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9a7daf4d175f022eea61e722d94c8d340c26c455a8869b05bf938ec6450d457
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC312378A143089FDB04CB60D855BED7FB2EF89320F15845EE90ADB781CE799846C790
                                                                                                                                                                                                                                          Function 074C1072 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: aIdHandling$tDefaultValue
                                                                                                                                                                                                                                          • API String ID: 0-783813968
                                                                                                                                                                                                                                          • Opcode ID: e1eaeab49bf15ad5bb3cd664d5dae1d0408a517c71b7d42394561e2427661a95
                                                                                                                                                                                                                                          • Instruction ID: de6e0d53f3654dfb9403a68bef80ab41a3958d19d390bce287c3c5bcbbb0b999
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1eaeab49bf15ad5bb3cd664d5dae1d0408a517c71b7d42394561e2427661a95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76110DBAB10208CBDB10DA759C447FEBBEAAF88151F04413BD906D7341DE74C9028790
                                                                                                                                                                                                                                          Function 074C2997 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ExpressionVisitor$entSchemas
                                                                                                                                                                                                                                          • API String ID: 0-2226804538
                                                                                                                                                                                                                                          • Opcode ID: f63a91e9e037074e28c6e28f45d786508257a7c8b4f770de9dd4358d6bc03113
                                                                                                                                                                                                                                          • Instruction ID: ca798de376b5785ccf3bf292151e7188df0beedcc7b6257637bc936a717c565c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f63a91e9e037074e28c6e28f45d786508257a7c8b4f770de9dd4358d6bc03113
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2401F4353043418FD715A770E94469E3B22FF8111170481AFE6068FA91DFA2A98B87E2
                                                                                                                                                                                                                                          Function 074C29A8 Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ExpressionVisitor$entSchemas
                                                                                                                                                                                                                                          • API String ID: 0-2226804538
                                                                                                                                                                                                                                          • Opcode ID: 306f7ffcbf6db12efeab4ff20bf8f3646f919381f4b0cd51562fab554f3e6674
                                                                                                                                                                                                                                          • Instruction ID: a324840bee412cb6eac3001c5c878a2e1fd997dfb480df37c22c7908ee711213
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 306f7ffcbf6db12efeab4ff20bf8f3646f919381f4b0cd51562fab554f3e6674
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFF0B4343103018FD718EB70E94465E3B56FF80211704853DE6068FB40DFB2A88B87E2
                                                                                                                                                                                                                                          Function 074C1958 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: nishedValue
                                                                                                                                                                                                                                          • API String ID: 0-3733506389
                                                                                                                                                                                                                                          • Opcode ID: dd9dc0d9a5b79a2a02c787145bbeaf27cd6590147841873ae7aa72fb0fe62f52
                                                                                                                                                                                                                                          • Instruction ID: fe2b3e5933277d69f8e5da25947233a48a3c5e09dc1ab5c164fccf0f9912132b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd9dc0d9a5b79a2a02c787145bbeaf27cd6590147841873ae7aa72fb0fe62f52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA114F75A10244DFDB04CF64D895AED7FB2EF8C325F158019E90AA7741CF795846CB90
                                                                                                                                                                                                                                          Function 074C1968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: nishedValue
                                                                                                                                                                                                                                          • API String ID: 0-3733506389
                                                                                                                                                                                                                                          • Opcode ID: 114a9e98e1a30ef69da0d09eba445a4607e6efbd39bda198a537ecc82a6f9512
                                                                                                                                                                                                                                          • Instruction ID: af6899c5f982863275e7ec8bdff7d1cc8fc0a295ad03e958aa528c5c93babb9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 114a9e98e1a30ef69da0d09eba445a4607e6efbd39bda198a537ecc82a6f9512
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70115175A10205DFDB04DF64D859EAD7FB6EF8C324F158019E90AA7780CF796886CB90
                                                                                                                                                                                                                                          Function 074C1837 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: okenEqualityComparer
                                                                                                                                                                                                                                          • API String ID: 0-3132462958
                                                                                                                                                                                                                                          • Opcode ID: 5270ea9c3f3dc8fbd0ea8277095dfb7ac26e068cb78404ffe61e95333f022502
                                                                                                                                                                                                                                          • Instruction ID: 3f54bbdf19c6b72c2a1e8f80424814e26988e5254d9e1c09a012ffe983b7d9a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5270ea9c3f3dc8fbd0ea8277095dfb7ac26e068cb78404ffe61e95333f022502
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8F0A9F9A04109D7EB58EAA88A647EF6AE69BC8600F25442FD102B3381CE710C0187A2
                                                                                                                                                                                                                                          Function 074C0C48 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • tem.Collections.Generic.IList<Newtonsoft.Json.Linq.JToken>.IndexOf, xrefs: 074C0C48
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: tem.Collections.Generic.IList<Newtonsoft.Json.Linq.JToken>.IndexOf
                                                                                                                                                                                                                                          • API String ID: 0-1040250643
                                                                                                                                                                                                                                          • Opcode ID: 84e8dfd51304a44a80b7ef040e6b0353cce3dbca143c65ec753cbf20d9bf0ed8
                                                                                                                                                                                                                                          • Instruction ID: bc50644599bdaaa08217e05e708562529cbeed6c253186e84180bcbca849858e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84e8dfd51304a44a80b7ef040e6b0353cce3dbca143c65ec753cbf20d9bf0ed8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDD0A7313512204FC204935CE450A5D3BA9DB4A721F50045BF10ACB320C951FC020389
                                                                                                                                                                                                                                          Function 074C0C0C Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Flag
                                                                                                                                                                                                                                          • API String ID: 0-1908819108
                                                                                                                                                                                                                                          • Opcode ID: 9522740babfda7bb49ab34f81a96a8ca1174bb0eca5f9bf36d2fe2d55cbb6324
                                                                                                                                                                                                                                          • Instruction ID: bffa0348c436f0660f9e526f88138fb4a0fd2143314356ad2293af85d6c84e4d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9522740babfda7bb49ab34f81a96a8ca1174bb0eca5f9bf36d2fe2d55cbb6324
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9D0A77A25411C9B4208A655EC859AA7B6EE7C52A1750442BFA0187220CE605C4587A6
                                                                                                                                                                                                                                          Function 074C1497 Relevance: 1.3, Strings: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: nishedValue
                                                                                                                                                                                                                                          • API String ID: 0-3733506389
                                                                                                                                                                                                                                          • Opcode ID: 494ebf25ae5319827d13b0bf961ba3e2d8dc42ff462ba545c60b6fd6cf4a5aca
                                                                                                                                                                                                                                          • Instruction ID: 7aaf8993aceba33819ef970f2f77b4ddb15b8f5ddc5ab491b01966791d6c5b88
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 494ebf25ae5319827d13b0bf961ba3e2d8dc42ff462ba545c60b6fd6cf4a5aca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D19002714553045D97008AA4B55151E3E9496402157560156E00D89904DD3A805547D1
                                                                                                                                                                                                                                          Function 074C50B7 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2fd0fd9a13d8f6b55656a857b0272410fe387a0be6b53c0d4ce39a8148a9fa75
                                                                                                                                                                                                                                          • Instruction ID: ff2f76e1ef53411ddfcb65bbad3f03ebece9153d548b3ce5761b78e9b150c4d0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fd0fd9a13d8f6b55656a857b0272410fe387a0be6b53c0d4ce39a8148a9fa75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69B139B4E00209CFDB64CFA8D9857DEFBF1AF48314F24852AD815A7294EB74A856CF41
                                                                                                                                                                                                                                          Function 074C599C Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0a73f07bb0052feab386e5dcdc98333d2610ae191fb2f648d7f8b66330ffd0cf
                                                                                                                                                                                                                                          • Instruction ID: bdd184704f23613efadb07265c0b85f4dd30a87a7fb2e58b7a7cd9201dc464f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a73f07bb0052feab386e5dcdc98333d2610ae191fb2f648d7f8b66330ffd0cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10B15DB4E002098FDB50CFA9D9817EEFBF1AF48314F24852ED415A7354EB74A851CB91
                                                                                                                                                                                                                                          Function 074C2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fffa19e31fd36a40700f5a1a5b0d418f665e0afb21483790509634219baae81
                                                                                                                                                                                                                                          • Instruction ID: 5d304edcb6868c064e2e4b3b5bd9816d1f5406fa31c29a4c423b7b5fe0de75a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fffa19e31fd36a40700f5a1a5b0d418f665e0afb21483790509634219baae81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A241F579B10218DFCB54DF69D98099EBBB2FF88710B10816AE905EB364DB71DD42CB90
                                                                                                                                                                                                                                          Function 074C2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6da06f08168d331c1e202735d8fa6a634cc26a1702f15f3a47dc68d3c898c91
                                                                                                                                                                                                                                          • Instruction ID: e37356609f9da322293b318e48e83a04ffe2380f9a6ca76fb24913715075739b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6da06f08168d331c1e202735d8fa6a634cc26a1702f15f3a47dc68d3c898c91
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09118F75B002188BCB95FB7964202AF7AE2AFC8651711043EC50ADB344FF7489438BD6
                                                                                                                                                                                                                                          Function 074C1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 266f9846a03b5e508bcb43021f2cfc024c6b4141c1823c4024bf52b9b9d90625
                                                                                                                                                                                                                                          • Instruction ID: cb138c4d28195064782f5ccfcc7ef00fde7ae5af8e60296a5813cbc78fdf279f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 266f9846a03b5e508bcb43021f2cfc024c6b4141c1823c4024bf52b9b9d90625
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9421E2B4D002498FDB24DFAAC480AEEBBB0FF48214F54852ED859A7640C7756906CFA1
                                                                                                                                                                                                                                          Function 074C2267 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6b240d97c7e9cecf0738bc0533f3a0f3882917ea783d116f63408e01bbbf0e0
                                                                                                                                                                                                                                          • Instruction ID: 5fc26a206437cc285caa435804730d2e3552ee817fdd52799a5d6146c3dff698
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6b240d97c7e9cecf0738bc0533f3a0f3882917ea783d116f63408e01bbbf0e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F11F9B9E101149FCB54DF69D98099EBBB2BF4C310F10812AE915EB364D7319941CB50
                                                                                                                                                                                                                                          Function 074C1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 72d42b4e168b44a5d8e80ccbfb9186f66efbfdf343f3e58cf6cc71bc91557ba1
                                                                                                                                                                                                                                          • Instruction ID: d3a0941c99059d632c08655176655d13f09aa8bb90a040b233cd93c09995ff4e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72d42b4e168b44a5d8e80ccbfb9186f66efbfdf343f3e58cf6cc71bc91557ba1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1911E3B5D002098FDB20DFAAC481BDEFBF4FB48214F50852AD95967240CB756905CFA5
                                                                                                                                                                                                                                          Function 074C2B08 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f035fe18a962526b1dd73bab098de1c70195057fe31e68129987db67b31de06
                                                                                                                                                                                                                                          • Instruction ID: 44e9e15c51576e6beea396c7c181623defc120e0c907204a4237b88957f7940d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f035fe18a962526b1dd73bab098de1c70195057fe31e68129987db67b31de06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201ADB9B012148FCB94EF7854202FFBBE2AFC8201705016EC509D7340EF748A438BA2
                                                                                                                                                                                                                                          Function 074C2A68 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f0be0aa17240c684da300a19cc96fccdf34b81e0ca27181f319c3107f7566fae
                                                                                                                                                                                                                                          • Instruction ID: 16dde06461db462cfffc250d335fb71fbd82025c0dc915e9aa2bbc28793c16a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0be0aa17240c684da300a19cc96fccdf34b81e0ca27181f319c3107f7566fae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75015E75B102158FCB54DB78A9146EE7BF2FB88725B20063AD509DB250EB719D828BC0
                                                                                                                                                                                                                                          Function 04EDD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1400010203.0000000004EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EDD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_4edd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a925d666a0442b4e78921da5c8b37377b53b19ba2c6df00418bdc1ef4436c9df
                                                                                                                                                                                                                                          • Instruction ID: 97e556e0c236dfd6b9ff95de639e911a5f4f2b811ed945618888c3a19a0d2496
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a925d666a0442b4e78921da5c8b37377b53b19ba2c6df00418bdc1ef4436c9df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201F231508300AFE7204E21EC84F66BF89DF81329F08C55AEC484F282C278B847CAB2
                                                                                                                                                                                                                                          Function 04EDD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000002.1400010203.0000000004EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EDD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_4edd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae0d87faf537e5aecf0f58981ed291bab01867ddea3e8c014662b3f7a153e645
                                                                                                                                                                                                                                          • Instruction ID: 7cd7099478be9b7006a4d4bf88ece0c9f461927b6138b7cb253ffc6c75508169
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae0d87faf537e5aecf0f58981ed291bab01867ddea3e8c014662b3f7a153e645
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C015E7140E3C09FE7128B259C94B52BFB8DF43228F1981DBD8888F1A3C2696849C772
                                                                                                                                                                                                                                          Function 074C2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f55aa19bab48fac37159f5a644e54abb83c7a8077b39668a75b264a51a5f4d9b
                                                                                                                                                                                                                                          • Instruction ID: 73bd01537744979771a09acd5905219ce028df65730dacec30ef80e59151c555
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f55aa19bab48fac37159f5a644e54abb83c7a8077b39668a75b264a51a5f4d9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3101F675B102148FCB58EB78D504AAE7BB6AB89711B10046ADA09DB354EB719E82CB81
                                                                                                                                                                                                                                          Function 074C2A20 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a3e0d008524aae8e7330280974d84ec02d6904e075660e9bf8fcefae8986c160
                                                                                                                                                                                                                                          • Instruction ID: 28fe5a0481c93a71e718ad44bfdcfca6831b9ba55a7479cca56a4893573dd544
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3e0d008524aae8e7330280974d84ec02d6904e075660e9bf8fcefae8986c160
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76E0923135FAA24FC71A863474151FE2F646E8262034902BFF00AD6282DE8A89428391
                                                                                                                                                                                                                                          Function 074C2959 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc4a8115fde63c703bdd682b32e7c863946687732e85d232a6b69af15fbc4c1d
                                                                                                                                                                                                                                          • Instruction ID: 66e1c2615978e6602cbcad9f3d9120190cd78da7abe8c56e81aedaa3af9d5a4c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc4a8115fde63c703bdd682b32e7c863946687732e85d232a6b69af15fbc4c1d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2E04F7590E3498FDB05CB70E9446E9BFB5EF4620572047EBD814DB261D6341E458781
                                                                                                                                                                                                                                          Function 074C2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c003a65aedc5e04e76871f45c650049c974815e234df4a91dceeb7a3d1dfe8c6
                                                                                                                                                                                                                                          • Instruction ID: c6e862e31b3d4ecb54b7661493b292a169ae7a3d4505f991acd78dae8cc8ec99
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c003a65aedc5e04e76871f45c650049c974815e234df4a91dceeb7a3d1dfe8c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBD02B703199278BDA18153664052FF398C6B41661B05003FF40EC2380DFCEC9434394
                                                                                                                                                                                                                                          Function 074C2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d67c006e24110e965f7a89d20b9cebca53ab9deee171170e63e4c501cb391e20
                                                                                                                                                                                                                                          • Instruction ID: 9023040fd4ec371b20891db3103edfc8a29ae6a55e685b3d9dba32865d0e411c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d67c006e24110e965f7a89d20b9cebca53ab9deee171170e63e4c501cb391e20
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7BD05E7490520CDFCB00DFB4EA4099DBBFAEB49200B2086A588049B214EA306E418B81
                                                                                                                                                                                                                                          Function 074C5EBF Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3ec293605b9f80a0156eb281cc792cd29ea6d313c5a6dd0c34339163ff1b9da0
                                                                                                                                                                                                                                          • Instruction ID: eef215712198ac2246a3ff8820bf07e6ae6ab77ee54773f4f886d46ca794bb5a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ec293605b9f80a0156eb281cc792cd29ea6d313c5a6dd0c34339163ff1b9da0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0BC08C363404204FD7049BACE250A6837A1AF8DB25B1000AAF11ECF370CE62DC014784
                                                                                                                                                                                                                                          Function 074C17FF Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fe59ce7cc309423d752213287ed510f271b659da04557cbaca8d44d445cd26c7
                                                                                                                                                                                                                                          • Instruction ID: 7e30fee78e8f6d7baaa0fd618199e3023f71da2b581677f9395dc8ab52fd73b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe59ce7cc309423d752213287ed510f271b659da04557cbaca8d44d445cd26c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EDC0807F7404148F47449A50E6465697737A7D4151344402BE90597334CF304C51C740
                                                                                                                                                                                                                                          Function 074C0440 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78605859843959f0897c3992f5fca4d5a26f8c7bb12604fb8cdaf3b06342b48a
                                                                                                                                                                                                                                          • Instruction ID: 56b614c89b87f75ecc0bb309c3c585cbb9e2b61fe8e4f7ce4fab0940edadb9ca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78605859843959f0897c3992f5fca4d5a26f8c7bb12604fb8cdaf3b06342b48a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEC0123202E2C08FEB4687A08892484BF30BA6221938E83EBD04289903C21C8046C3B1

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 074C0E8C Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000007.00000003.1399415987.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_7_3_74c0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (q$ateTimeZoneHandling$izedAttribute$nFlag$seHandling
                                                                                                                                                                                                                                          • API String ID: 0-84612264
                                                                                                                                                                                                                                          • Opcode ID: 4463ddf71cfc9845a01a717885e145bed386c6c86eb48487f8c534f8e941a443
                                                                                                                                                                                                                                          • Instruction ID: c96ea3dc8a5879373d8fa3a8818dafb516386048f9978b0a2d6b973bad84c397
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4463ddf71cfc9845a01a717885e145bed386c6c86eb48487f8c534f8e941a443
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06117635B002058FF628636A6CA17AF2A5AEFC0510F90462FEE06EB380CC558C4743EA

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFAAB57172D Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0WO
                                                                                                                                                                                                                                          • API String ID: 0-3064067302
                                                                                                                                                                                                                                          • Opcode ID: 4a1d95221d5f4a2eec98fce8c3a31719a447170766f267d9633261f19ce3d230
                                                                                                                                                                                                                                          • Instruction ID: 2075dbc49cd1f04ee947b6dceafe7ac4ef81839cca36200b9d3e98f2013429aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a1d95221d5f4a2eec98fce8c3a31719a447170766f267d9633261f19ce3d230
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90417B70E1951A8FDBA9DF18C4947E8B7B1FF49340F5085E9C00E97292DA7869C9CF80
                                                                                                                                                                                                                                          Function 00007FFAAB57C922 Relevance: .5, Instructions: 461COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 29fd83c7240a3585d49ae2dae3a643b1568aa6030d2afbc4f51892227ad9e5aa
                                                                                                                                                                                                                                          • Instruction ID: 6c70059e698ee056a8390e44f7edd03cc5df613560f93c237574d43511b31cf6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29fd83c7240a3585d49ae2dae3a643b1568aa6030d2afbc4f51892227ad9e5aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85E1B570A09A4E8FEBA8DF28C8557E977D1FB55350F04866EE84EC7291CF7498848BC1
                                                                                                                                                                                                                                          Function 00007FFAAB571FAC Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fd83edb5c1ac445044bd2487c5c802c76ce32f322adcb88b7b473df4ae1aab87
                                                                                                                                                                                                                                          • Instruction ID: e8412cb890345f88ed187918effc51dc71510a9248caf56cef8033bdae161d0c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd83edb5c1ac445044bd2487c5c802c76ce32f322adcb88b7b473df4ae1aab87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A811A271D0A65A8FE7959B18C8843F977E5EF42350F1444F9D00D921A3DE381EC98B80
                                                                                                                                                                                                                                          Function 00007FFAAB571A2F Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 50374cd1d31e669ebf101eba3e3cdf786c2441ae8e943de461e466150724f03e
                                                                                                                                                                                                                                          • Instruction ID: 7da685f26e59ee8e0d1a13fad7f90be878f3c871b19fc953a3a043177a8eb0ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50374cd1d31e669ebf101eba3e3cdf786c2441ae8e943de461e466150724f03e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46014C30D4E257CFE355AF2081043F8B2F9AF07340F5068B8D00F672A3DA7899899A88
                                                                                                                                                                                                                                          Function 00007FFAAB570E53 Relevance: 9.3, Strings: 7, Instructions: 581COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E$/E$/E$/E$/E$/E$/E
                                                                                                                                                                                                                                          • API String ID: 0-1197653991
                                                                                                                                                                                                                                          • Opcode ID: 1eba39115f3b67360403999de52cab0fc84837f83a7d7baba6bb3f7be66e99a1
                                                                                                                                                                                                                                          • Instruction ID: 97d2c690c883b2f4645bfc7d061fa26537c9a8496d1b7f3c96f03d5fdf880d74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1eba39115f3b67360403999de52cab0fc84837f83a7d7baba6bb3f7be66e99a1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2225C70A0861A8FDB99EB24C494BA8B7B6FF59304F5045FDC00ED7292DA35A9C5CF40
                                                                                                                                                                                                                                          Function 00007FFAAB57596E Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: M_^
                                                                                                                                                                                                                                          • API String ID: 0-3807191693
                                                                                                                                                                                                                                          • Opcode ID: 5674970c916d7950aa6e4cad7c88fa09593ae7ac2dc06068b1c928975acdefb6
                                                                                                                                                                                                                                          • Instruction ID: 88a35744e86fc8ced5cd06d416dff7f238465709f379dcf1154b5c797d0196dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5674970c916d7950aa6e4cad7c88fa09593ae7ac2dc06068b1c928975acdefb6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EC12B72A0E6564FD311A77CE8521F87BA0EF47221B044AFBD14EC74E3E91D148A8791
                                                                                                                                                                                                                                          Function 00007FFAAB66003A Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501771028.00007FFAAB660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB660000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab660000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E
                                                                                                                                                                                                                                          • API String ID: 0-2597168574
                                                                                                                                                                                                                                          • Opcode ID: 76480f4695b9a90165acaef2020c62637efcb63b1700051f536d776ebd4de0ca
                                                                                                                                                                                                                                          • Instruction ID: dc7c35197ff59ecdc06f20b338e32b34b269803187cb66f68283ca793edd530d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76480f4695b9a90165acaef2020c62637efcb63b1700051f536d776ebd4de0ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB810871A0DB888FD759DB1C98A5674BBE1EF9A310B0541FFD48EC72A3DD24AC068781
                                                                                                                                                                                                                                          Function 00007FFAAB660853 Relevance: .9, Instructions: 947COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501771028.00007FFAAB660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB660000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab660000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3470d3eadcd7ceca83484dc2eeaedd8b128c5cecb5dfec660d3f3d9a3930f319
                                                                                                                                                                                                                                          • Instruction ID: 0dad6abd54bdb80d4f4cf59997379308d71cca25fae7c0b425076affa9396c74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3470d3eadcd7ceca83484dc2eeaedd8b128c5cecb5dfec660d3f3d9a3930f319
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F1F571B0DA498FD759972C9869674BBD2EF56310B0442BED08EC72B3DD28AC4687C1
                                                                                                                                                                                                                                          Function 00007FFAAB57B679 Relevance: .4, Instructions: 415COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5db33fb7c56ae51c986c9bd0654751f1d54353df799e6aa3f7eb28ab119a8084
                                                                                                                                                                                                                                          • Instruction ID: 5f1ecc47ec98e15f9b14d8f89cc79a7a923f2bd380a3f29fb3ca4d4cd552073e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5db33fb7c56ae51c986c9bd0654751f1d54353df799e6aa3f7eb28ab119a8084
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6D1C930618A8E8FEBA8DF28C8557E977D1FF59310F04866EE84EC7291CB7598458B81
                                                                                                                                                                                                                                          Function 00007FFAAB576772 Relevance: .4, Instructions: 365COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d516d5350409cc9a78731dbe07bcee3bdc385d6b27b1e398825b346468194295
                                                                                                                                                                                                                                          • Instruction ID: ae4b660a1f927d043ef569acac12102d3d057fbac8388b28da92431a87832d3c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d516d5350409cc9a78731dbe07bcee3bdc385d6b27b1e398825b346468194295
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31C12761E0E687CFE795DB688955AA53BE4EF13390F0845F9D04ECB1E3E918984E87C0
                                                                                                                                                                                                                                          Function 00007FFAAB57D7BE Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0b716159916893f41f9dff9befb45e1f171879034630b99dff11768e7044bf26
                                                                                                                                                                                                                                          • Instruction ID: ef0b98d0ec580df57a3311c7bde21b5b9d803768272d0ff4bc2a1ae0fa409ad1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b716159916893f41f9dff9befb45e1f171879034630b99dff11768e7044bf26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0B1A970A08A5D8FDF94EF58C895BA8B7F1FF69301F1041A9D00DE7262DA74A985CF40
                                                                                                                                                                                                                                          Function 00007FFAAB571AC3 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8b2f7d08d770f76dcece645d24473743e481609be7f00fd9bb0254d6c5bac67
                                                                                                                                                                                                                                          • Instruction ID: 0edbb73ccd74c8575ae8147c87f91a6929e709c41d0f0910dd4ebab35abbd5c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b2f7d08d770f76dcece645d24473743e481609be7f00fd9bb0254d6c5bac67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BB19F70D0A26A8FDB65CB68C8557E8BBF1EF06350F1441B9C04D972A2DA7C1E8ACF40
                                                                                                                                                                                                                                          Function 00007FFAAB577A45 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 96e380b9c7b843b7d6a2bdc4fdf0a69ae79f99eb1887362a185ce81cb55990d2
                                                                                                                                                                                                                                          • Instruction ID: 23d2e284f63e6598d58872d3c42e2f66f59103a76e29881089b45e064738e924
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96e380b9c7b843b7d6a2bdc4fdf0a69ae79f99eb1887362a185ce81cb55990d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0391C67090E78A8FDB41DBA8C8156EDBFF5EF16310F0405BAD049D71A3DA6C588ACB91
                                                                                                                                                                                                                                          Function 00007FFAAB57347E Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 57c8364b130ea430971b2fde82eb839302d9c4b856a6f6ee471dec4f3b26fc5e
                                                                                                                                                                                                                                          • Instruction ID: 3309706ea158faeab5181b354febbb296db4e96951bb5e86c3241b6858cc2baf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57c8364b130ea430971b2fde82eb839302d9c4b856a6f6ee471dec4f3b26fc5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28617F70A0E65ECFDBA5DB68C4447ACB7B5FF16310F1045B9C00EE7292DA39698ACB40
                                                                                                                                                                                                                                          Function 00007FFAAB57946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e4f3179e1f4db2b7ff11cd32e6145a703277549bbab0e9bb9f145c9198fda23
                                                                                                                                                                                                                                          • Instruction ID: 2bf555c52b9698fba990a80924067a6a4f19f2fa80d01bce770e14b5acea2c8e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e4f3179e1f4db2b7ff11cd32e6145a703277549bbab0e9bb9f145c9198fda23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B516071908A1C8FDB68DB68D845BE9BBF1FF59310F1082AAD44DD3252DE34A9858F81
                                                                                                                                                                                                                                          Function 00007FFAAB57E641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 294f04feb5839ade9b01bca8bf73e56a832042edc36425788e1158eb2c2f8d36
                                                                                                                                                                                                                                          • Instruction ID: 2ca57dafff239abc2d1f6f9e108086fcb6f75b468ee827d623241e7bc5ac64fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 294f04feb5839ade9b01bca8bf73e56a832042edc36425788e1158eb2c2f8d36
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6514030A0964ECFDF84EFA8D5559EDB7B5FF59300F104469D00EE72A2DA74A885CB80
                                                                                                                                                                                                                                          Function 00007FFAAB578570 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5dab1daf65794fef480c81e3140bbeff183bfb73045b038aa5daac262e14dccd
                                                                                                                                                                                                                                          • Instruction ID: 1787796e7d842aa7ba8930de996c1ed20ce31c1114d8a248d8b4fcafacd7e523
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5dab1daf65794fef480c81e3140bbeff183bfb73045b038aa5daac262e14dccd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51516270D0991D8FDBA8DB68D498BEDBBB1EB59301F1044AAD00EE3291DB7599C5CF40
                                                                                                                                                                                                                                          Function 00007FFAAB6604DE Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501771028.00007FFAAB660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB660000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab660000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89de2d0c94597974f73f2911d6667b4fc1ee17ab5eef98a615ee593e30c5d3d9
                                                                                                                                                                                                                                          • Instruction ID: 5644af7b61817d636907d3ea631fbf87a97316e28a102aff46b4997d8a5179c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89de2d0c94597974f73f2911d6667b4fc1ee17ab5eef98a615ee593e30c5d3d9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC411662A0DBC58FE796977C88A65647FE1EF6A21030941FBD04DC72B3D9289C468391
                                                                                                                                                                                                                                          Function 00007FFAAB5763FB Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f290f826dafb9cf52d5a0c2518614e0bd07b6ecaa495a61f1830de64494b81e4
                                                                                                                                                                                                                                          • Instruction ID: 02140627f36435c67e5ecd43ac5118268ec15439a6b00e1b26e1c949cd03c005
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f290f826dafb9cf52d5a0c2518614e0bd07b6ecaa495a61f1830de64494b81e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F412572A0DB8B8FDB41EF68D8505E93BA4FF57350B0445B6D40EC71A3CA249C4AC781
                                                                                                                                                                                                                                          Function 00007FFAAB578372 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9a9dc668b6597748ce6b88ce3c388a6617b7c70475e62f8f3ce7a054f2acdb35
                                                                                                                                                                                                                                          • Instruction ID: 0a1a099e77a638046f48aa8503c610fe40725c97c761fa97828ed36244dd8281
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a9dc668b6597748ce6b88ce3c388a6617b7c70475e62f8f3ce7a054f2acdb35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4410770A09A1D8FDB98DBA8C4947ADBBF1FF5A311F5040A9D04EE7252CB399985CB40
                                                                                                                                                                                                                                          Function 00007FFAAB57197B Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07dd584660f7447ae3da83363622ea363dbe38ba8c02fed8b6361d0f3fa35b1f
                                                                                                                                                                                                                                          • Instruction ID: 2e05ea09ccc33a39dfe6e81b94decd236c8a15a9bf7544cbb532a50ffbad416d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07dd584660f7447ae3da83363622ea363dbe38ba8c02fed8b6361d0f3fa35b1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32315870D0A26ACFE7599B64C5583F8B2F5AF06340F5058BD900EA72A2DA785AC8DF44
                                                                                                                                                                                                                                          Function 00007FFAAB57337D Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4a2173db189d4d598254cf5007a476914d38ac0b7116b8a2d7acc699d05a5f1
                                                                                                                                                                                                                                          • Instruction ID: f4f1bce9d3310c7280ded98b23b99edf042c561746a7814330a9ccb4b4395a74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4a2173db189d4d598254cf5007a476914d38ac0b7116b8a2d7acc699d05a5f1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90318D7090A75E8FDBA6DB28C4457A877F2EF46321F0045FAC04ED72A2CA395D86CB41
                                                                                                                                                                                                                                          Function 00007FFAAB574EFA Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c950aa7344f3a508b1e57f06b6fcab911ec0acafb3d9c4bf940c353848b60484
                                                                                                                                                                                                                                          • Instruction ID: 23ff00a60d556afede86158340570828b860b5e44c5276c795e97b6d4cf02899
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c950aa7344f3a508b1e57f06b6fcab911ec0acafb3d9c4bf940c353848b60484
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3721F772A0DB8E8FD7459B6CE8615E67BA4EF46210B0406F7E04DC71A3C9245849C792
                                                                                                                                                                                                                                          Function 00007FFAAB57848D Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f5f05c2fb974360318b7b6b67ada6ce45777f081a0118fc7f0acb2a8c235688
                                                                                                                                                                                                                                          • Instruction ID: 6571f11f0e8fa534dfc1f3bf6f8b29202ccee10619d906fe2601322ba6d51436
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f5f05c2fb974360318b7b6b67ada6ce45777f081a0118fc7f0acb2a8c235688
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE31D670A0951DCFDB98DB59C498AECBBF5FF1A311F1004A9D00EE7261DB799984CB40
                                                                                                                                                                                                                                          Function 00007FFAAB577DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 989e0b90d868de00745cb6722a5694d3ed82722474f69210e2e7ea859b3ab493
                                                                                                                                                                                                                                          • Instruction ID: ad1f9502c44bb8823a26d97a51f5f878ad1db78d91a847cee070953cb12ed558
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 989e0b90d868de00745cb6722a5694d3ed82722474f69210e2e7ea859b3ab493
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A218C70E09A5D9FEB81EBA8C849AEDBBF1FF59311F10057AD009D3262DB385885CB41
                                                                                                                                                                                                                                          Function 00007FFAAB57D20A Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f90f02aa6520028f383b46460ee6630365b1fa81991aa067557c43910adbe6ac
                                                                                                                                                                                                                                          • Instruction ID: c58266896e34a5ff42a27ba3f47bc993600cedb0722638d2c9d22fc8932e3eb4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f90f02aa6520028f383b46460ee6630365b1fa81991aa067557c43910adbe6ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 132119B0E0991ADFDB84DBA4D5556ECB7B5FF5A300F5044B9D00ED72A2CA389886CB40
                                                                                                                                                                                                                                          Function 00007FFAAB57E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7cd1ed17dbd8fc2667cd0df8685232f95cc245ffded969e252de62fa9cd12566
                                                                                                                                                                                                                                          • Instruction ID: 98e8cf5938eebfb7f1819aad3027735af9c6abe3c61caf8eaaa0f72010115980
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cd1ed17dbd8fc2667cd0df8685232f95cc245ffded969e252de62fa9cd12566
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1212B3090965ACFDB48DB64D911AEEB7B9FB46300F00456AE00ED7292CB746854CB90
                                                                                                                                                                                                                                          Function 00007FFAAB571B2F Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 00336eae9c13a6b399490e4532f0eb052e7b1a2001c231cbe83f77c1a4508cc6
                                                                                                                                                                                                                                          • Instruction ID: 41db14eb27e76ac863cf749262d1d0e96282a88991b6791a4c3ca54f3a5c6737
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00336eae9c13a6b399490e4532f0eb052e7b1a2001c231cbe83f77c1a4508cc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4431DB3090662D8FDB95DB28C995BE8B7F1EF59341F5005E9D04EE32A1CA785E85CF40
                                                                                                                                                                                                                                          Function 00007FFAAB571E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bee59360631451a57cb9a11b8f471e7e372e5de7d58df236840f97979f8bb44
                                                                                                                                                                                                                                          • Instruction ID: 17fa8739dd249a70812eabfd63ca153f7d64a6348d0cab2495fb2a38bb6f3865
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bee59360631451a57cb9a11b8f471e7e372e5de7d58df236840f97979f8bb44
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E314A70E0A62A8FEBA1DB28C8457E8B7F4AF19340F4441E9D44DD3292DA785EC9CF40
                                                                                                                                                                                                                                          Function 00007FFAAB570C1D Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb5988c9de109d60e8ea323c57e159df07382ae6b030fe78f5f3ec4052f00e6f
                                                                                                                                                                                                                                          • Instruction ID: 742f14901f32fb23c1bc7a6183846a7bf83a4854ce24e03bb536b3f1523447be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb5988c9de109d60e8ea323c57e159df07382ae6b030fe78f5f3ec4052f00e6f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E210BB150F6828FD3459B78841A298BFD5EF42350F0408BFD049C72E3DA689849CB81
                                                                                                                                                                                                                                          Function 00007FFAAB57483D Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7e80be5a0587e83fb13793104418e549063a99887bb8e0d5b66daa728b5916c6
                                                                                                                                                                                                                                          • Instruction ID: 002b647b348040b748754e7f2be485c3c59bc2ecf16d63bd2b6c03335068f232
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e80be5a0587e83fb13793104418e549063a99887bb8e0d5b66daa728b5916c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7112962A0D6CF8FE751AF7CD9A51F93F54EF46254F0449F2E04D860E3DD28A48A86C1
                                                                                                                                                                                                                                          Function 00007FFAAB57D132 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 81e23986e8983fa6f5a9bdd7bf37f0221c8ed0824e770fa9d95795e286e4a070
                                                                                                                                                                                                                                          • Instruction ID: c1668d10414771ceee669353fc64e9d87cb7a0e2092d270a452ffad60d36444c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81e23986e8983fa6f5a9bdd7bf37f0221c8ed0824e770fa9d95795e286e4a070
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C311D0B191EA8A8FDB819B74C5146ECBFF1EF46340F4444BAD049D31E3CE686889CB41
                                                                                                                                                                                                                                          Function 00007FFAAB5784B0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de5cb6c45036fa02d8d7662d9cac9bf699eab078578bfe0df627225b035bfe77
                                                                                                                                                                                                                                          • Instruction ID: 087eddea907661a359be6d9654e7d4a81c5261a702a3e89aa1c70bb37e7cf1d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de5cb6c45036fa02d8d7662d9cac9bf699eab078578bfe0df627225b035bfe77
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF11DF30E0991ECFDB98DB59C484AECBBB4EF1A311F0054A9D00EE3291DB75A984CB40
                                                                                                                                                                                                                                          Function 00007FFAAB5779CC Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a841eeaf40c575b5205a437d941d666786d141ad0a617bf1d93bd93e06bd8e18
                                                                                                                                                                                                                                          • Instruction ID: 0ba425b254f0ec42383b257fdccd00f3dc374fc5b0b08cc5d08e14759e9395ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a841eeaf40c575b5205a437d941d666786d141ad0a617bf1d93bd93e06bd8e18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E001D671A46A4E8FD790DBAC98055FDBBE5EF85221B8002B6E009D7292DE5C1C874B51
                                                                                                                                                                                                                                          Function 00007FFAAB574A4B Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5baae9958738fa0b97d549d89a8ac0cbec98ea3e9c696571f00222d4838e6502
                                                                                                                                                                                                                                          • Instruction ID: 7c5f970d4aa5bf55fb5e0a956749ab3c23d13572b06cadadf64e1f9985b79ed5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5baae9958738fa0b97d549d89a8ac0cbec98ea3e9c696571f00222d4838e6502
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7114C31A0560ECFDB84EF68D841BE9B3A2FF49300F5149B8E40DC7292CE39A846CB40
                                                                                                                                                                                                                                          Function 00007FFAAB573B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53678951048e7534117409e2a4e552fff4132824cc973224d9bbaa79cf1459e9
                                                                                                                                                                                                                                          • Instruction ID: 6fd33c708ae67b6eb678ef26bd423480d8fe4add295a553ed56e03cca6f71c60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53678951048e7534117409e2a4e552fff4132824cc973224d9bbaa79cf1459e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3110271D0D64E9FDB509BA4C4056EDBBB4FF42350F0086BAD10EE31D3CB68244A8B81
                                                                                                                                                                                                                                          Function 00007FFAAB571E9C Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b84cb51f035d5eaa120866398b5321cdf153b66f42702cfea7990e37ed97fb4c
                                                                                                                                                                                                                                          • Instruction ID: d11473a5b33b1acdb35ee3f272b2431def9d32ccabcc598c1c32eadd5ac0edd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b84cb51f035d5eaa120866398b5321cdf153b66f42702cfea7990e37ed97fb4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65117970D0A62ACFEBA5DB14C8457E8B7F5AB19350F0081F9D44D93292DA785EC98F80
                                                                                                                                                                                                                                          Function 00007FFAAB570C89 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c72665c08196b8382ceddd595dd89fc04647f892c51ab432547af76c4bf2ba98
                                                                                                                                                                                                                                          • Instruction ID: 350fbd7c9931c7abf8738a5c684393b562f1a831f01103aa133deb9820c60b5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c72665c08196b8382ceddd595dd89fc04647f892c51ab432547af76c4bf2ba98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB01267150B74A8FD755A778C8162E9B7E1EF41311F0004BAD00AD76E1DE785D498A41
                                                                                                                                                                                                                                          Function 00007FFAAB571E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 22f8bf6625ca2ca2c6b3ca01fb2d6066b7e12b5fcee5228207bb3cf7e1ac1ea9
                                                                                                                                                                                                                                          • Instruction ID: 988328b525e4974153462bb4c0feeecb27eb356a2049f85cb093cf87d5ba04f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 22f8bf6625ca2ca2c6b3ca01fb2d6066b7e12b5fcee5228207bb3cf7e1ac1ea9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9015E70E0A65A9FEBE2DB788405698BBF8EF09350F4445E5D40DD3162DA385EC68F80
                                                                                                                                                                                                                                          Function 00007FFAAB571EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dba3829f749945c888c15f59f7703ec2267e17742d52f5a9253e5660728eb668
                                                                                                                                                                                                                                          • Instruction ID: 25dfbf1433019f5968c483876f411ca1def8c4113f4a2ee359b892b97382124f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dba3829f749945c888c15f59f7703ec2267e17742d52f5a9253e5660728eb668
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB11B6B0D096298FEBA1DF288945BD9B7F4AB19340F4445E6D04DE3252DA785EC5CF40
                                                                                                                                                                                                                                          Function 00007FFAAB5718A4 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9d27b0a561dcaa4679290228c735ca3ffbbb96552d6876697c4c7c4d09716f74
                                                                                                                                                                                                                                          • Instruction ID: 640b356e98f8cefd4dde7e6857237f7fbe38c4463ef61fff686a62c4e11b2dde
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d27b0a561dcaa4679290228c735ca3ffbbb96552d6876697c4c7c4d09716f74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10014B70D0A22A8FD7999B64C4543E8B2F1BF05300F4008FDD00EA76A2CB795AC8CF04
                                                                                                                                                                                                                                          Function 00007FFAAB5732B8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 353e05bc247db5758be43a8bafa5991fcec6563321f389988de32d44bea55218
                                                                                                                                                                                                                                          • Instruction ID: 9dfe4fd1bad7a70928cc434990c2bca22cf9c6b50aed289d0998eb06ab673a10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 353e05bc247db5758be43a8bafa5991fcec6563321f389988de32d44bea55218
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F09031C0864E9FDB41EBA4C0457EDBBF1EF46311F0482B6C019E3292C63C0989CB80
                                                                                                                                                                                                                                          Function 00007FFAAB571CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7708378ccf8f9458dd51f943d96e064dbaf81d9bd530cccd180c15f877cccbee
                                                                                                                                                                                                                                          • Instruction ID: cc2bfa064f51a145afdf5085d413df9b1a293964bd9ff3dd1934dce7ec923a50
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7708378ccf8f9458dd51f943d96e064dbaf81d9bd530cccd180c15f877cccbee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF0AF30C1A25A9FD7219B3888026F8B7F0AF06701F9001F8D08A93193DA3C6D8ACF95
                                                                                                                                                                                                                                          Function 00007FFAAB571DD1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c907205dc63557039373d218f9d84d36032badcaf4f4e148a3e2881050c3d54
                                                                                                                                                                                                                                          • Instruction ID: 2e59a63976dab34f73bc98fa249751847d92fa2bb813e9f2504ca50968375c02
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c907205dc63557039373d218f9d84d36032badcaf4f4e148a3e2881050c3d54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F02770D4A25ACFC701CB78C880B9ABBF4BF02314F0545B4C444A7196C7389C86C740
                                                                                                                                                                                                                                          Function 00007FFAAB571C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7016abf91060ae5921c0b33e39e69c24b8e6ef7621b2dcbffcddbc8ba1701579
                                                                                                                                                                                                                                          • Instruction ID: 10d3407ebf58e51d0c71844a97c70929e77ec6907842399699234d82f60eddac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7016abf91060ae5921c0b33e39e69c24b8e6ef7621b2dcbffcddbc8ba1701579
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F0157190A26A8FD7A59B74C8853ECBBF1AF42341F5484B8D00D672A2CA7D1EC9CB40
                                                                                                                                                                                                                                          Function 00007FFAAB571C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ac6d83338f244b63e6fa8215edd3ada7c5dde9668be65662a6dc33660b29d3dc
                                                                                                                                                                                                                                          • Instruction ID: 2a6a549530c4484bc81d542e37a24a73ab8060539801fef1d0b15e1bcd78885f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac6d83338f244b63e6fa8215edd3ada7c5dde9668be65662a6dc33660b29d3dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F0523080A26A8FD7609A65C8457ECB7F4AF02341F8480A8D009672A2CA791A8ACF00
                                                                                                                                                                                                                                          Function 00007FFAAB571928 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 538575461308cb90d477b47793a8b59bb9884a4fb146c4638a9a43e5244d0005
                                                                                                                                                                                                                                          • Instruction ID: 22bcfc52126fdcb2656ed34bdc48359052ef3aace2cb139a89008040059115e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 538575461308cb90d477b47793a8b59bb9884a4fb146c4638a9a43e5244d0005
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0E0657090A2998FD796EB28C40479877E1EF09310F8004F9940DC76A2CA380E868B00
                                                                                                                                                                                                                                          Function 00007FFAAB571F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cce64bd4d46f675fd21b2decd4d616ea8c8bf8cb888432cc0f56b5dc7b9cebe8
                                                                                                                                                                                                                                          • Instruction ID: 7b6e6912b89ddc64f3c1abb3402450d9cf4439f6328ddb8a0a1f7baa56699deb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cce64bd4d46f675fd21b2decd4d616ea8c8bf8cb888432cc0f56b5dc7b9cebe8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8ED0223050B386BFC70297B84801088BBF05F07210B8400F8D00987163C17E9C878B01
                                                                                                                                                                                                                                          Function 00007FFAAB571F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eaff95b468a6d17d0163948394400a343fb2fd2e36ad76892a58ff456527dc4c
                                                                                                                                                                                                                                          • Instruction ID: 34501cf5b67a4f97bc86b717292fd27437e9793beef5809f03643e31602ed8fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eaff95b468a6d17d0163948394400a343fb2fd2e36ad76892a58ff456527dc4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CD0127014B2866FD74257B888116957FE04F03260F9D05E4D545874A3D1AD1C8B8711
                                                                                                                                                                                                                                          Function 00007FFAAB576E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000E.00000002.1501319173.00007FFAAB570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB570000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_7ffaab570000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: c165009c0b6006ab5d47c8c0cf1e91dfc8a3d1df38a902dc0d959634217d1a9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CA00202FCB46F819445219E79424D8B248CB861B1BC56972ED0D8415B988E19DA02C5

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFAAB5A3378 Relevance: 7.3, Strings: 5, Instructions: 1020COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: `%O$`%O$`%O$`%O$`%O
                                                                                                                                                                                                                                          • API String ID: 0-2520754665
                                                                                                                                                                                                                                          • Opcode ID: 159a0d1785248f2e16400476e76163cf7936c14dbcfbe824f4ffbb519105475a
                                                                                                                                                                                                                                          • Instruction ID: 7b17410d724708ef0536496ef05f5890f0c397dcb14f958fe444cc8b3a66aa10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 159a0d1785248f2e16400476e76163cf7936c14dbcfbe824f4ffbb519105475a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07626431719E4A8FEB94EB2CC458B6677D6EF99340F0445BAD14FC72A3CE24E8498781
                                                                                                                                                                                                                                          Function 00007FFAAB590D42 Relevance: 2.1, Strings: 1, Instructions: 886COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0WO
                                                                                                                                                                                                                                          • API String ID: 0-3064067302
                                                                                                                                                                                                                                          • Opcode ID: 8d973e9c415aeaac14b4217728c12d28735c733b40fd3c29937fcd1031658b2c
                                                                                                                                                                                                                                          • Instruction ID: 0e546b33c6b71caab0ca5765375f74c669d9e2fb71c2366b1799bd3f2ad12fd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d973e9c415aeaac14b4217728c12d28735c733b40fd3c29937fcd1031658b2c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB52377180964D8FD725EF24D8056EABBB8FF46350F0401BAD04EC71A2DA3A5A4ACB91
                                                                                                                                                                                                                                          Function 00007FFAAB594E6B Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO
                                                                                                                                                                                                                                          • API String ID: 0-2831280591
                                                                                                                                                                                                                                          • Opcode ID: 4d9210b4164d67e7ccd5994c2b3e35fe4194ce1bae0ff43b69915d56f6706b82
                                                                                                                                                                                                                                          • Instruction ID: a76ffd4e959b0b035b52067fd64f5e9ad55fbd23450a2e274fe6446681a11da1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d9210b4164d67e7ccd5994c2b3e35fe4194ce1bae0ff43b69915d56f6706b82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E41A130D0A64A8FE755DF64D4992FDBBF0EF46240F0845BDC04E972E2CA3A5849CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5E6CF3 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO
                                                                                                                                                                                                                                          • API String ID: 0-2831280591
                                                                                                                                                                                                                                          • Opcode ID: e2a0fb8ef05e69b39295192e7ff66a3df1738b85a99dd14f652212a02785d30a
                                                                                                                                                                                                                                          • Instruction ID: ba29486c9ed9bb550101c265eb7ef571c398ca4a33139ae4abf68944e49d25fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2a0fb8ef05e69b39295192e7ff66a3df1738b85a99dd14f652212a02785d30a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 993183B1D08A4ECFEF54EF98D455AEDBBB1EF55380F404269D00DDB296CA749886CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5A1E9A Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 36e7fe4bf61b73a66b626ae667c98c540819c8c3c05a966cfe635c8106ed255c
                                                                                                                                                                                                                                          • Instruction ID: 453da8c01fc8d448b13407fa47f7f1ca2af3f12536338a9b27b121696248398c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36e7fe4bf61b73a66b626ae667c98c540819c8c3c05a966cfe635c8106ed255c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8822E670A1DB868FD759DB28C095676BBE1FF96300F04857ED48FC71A2CA25E846C782
                                                                                                                                                                                                                                          Function 00007FFAAB59C5E0 Relevance: .5, Instructions: 507COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8fd07372ee12bfaab82d6ddcdcaf7d41c11ae108f1999376943f527418695e5
                                                                                                                                                                                                                                          • Instruction ID: b70e21b4d12d744fd273af455e88441f02b79ca168a16d12d4d88cdd7d998e2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8fd07372ee12bfaab82d6ddcdcaf7d41c11ae108f1999376943f527418695e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E1497160E7868FE756973884555B57BE1EF87350B1881FBD04ECB1E3DE28A84AC381
                                                                                                                                                                                                                                          Function 00007FFAAB79C870 Relevance: 6.0, Strings: 4, Instructions: 972COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: XH$XH$j+_H${+_^
                                                                                                                                                                                                                                          • API String ID: 0-342230219
                                                                                                                                                                                                                                          • Opcode ID: 941b746952eef37791d78e4f9e497d4d41dafe081c09af80a6ec3460b6f06e78
                                                                                                                                                                                                                                          • Instruction ID: 75013154021a018b62c380b73309a207c56e4756bd49e4802ee4e6a6fe9bd173
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 941b746952eef37791d78e4f9e497d4d41dafe081c09af80a6ec3460b6f06e78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D562353251EB868FDB54EB3CD4959A57BF1EF4A340F0845BAD08DC71B3DE28A8468781
                                                                                                                                                                                                                                          Function 00007FFAAB79E04C Relevance: 6.0, Strings: 4, Instructions: 965COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$6E$6E$6E
                                                                                                                                                                                                                                          • API String ID: 0-608619359
                                                                                                                                                                                                                                          • Opcode ID: 89ab2d91443657da655d038da020b5aa9539ae4270c2e6b9e162b3d8440f516e
                                                                                                                                                                                                                                          • Instruction ID: bba303a59ddea3df9a0f8f979f88d877d5b8f5bca8bd2c48c3e8df6843411d6e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89ab2d91443657da655d038da020b5aa9539ae4270c2e6b9e162b3d8440f516e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D624970A1EA4A8FEBA8D768C456A7977F1FF55340F5040FDD00EC72A2DE25AC4A8781
                                                                                                                                                                                                                                          Function 00007FFAAB59A0A0 Relevance: 5.5, Strings: 4, Instructions: 516COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0-O$0-O$0-O$0-O
                                                                                                                                                                                                                                          • API String ID: 0-107054732
                                                                                                                                                                                                                                          • Opcode ID: 5d7d9393fa18e9d80d4ef297d01277f1773efdefee9d2126d001cc868f31a4dc
                                                                                                                                                                                                                                          • Instruction ID: bee93f6d3aef8a9c49b2662420de09cc615131b5ea6eb4271e208b39bd9cd5c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7d9393fa18e9d80d4ef297d01277f1773efdefee9d2126d001cc868f31a4dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46E12661B1DA0B8FE794E72C945A67937D6EF9A390F0441BEE04EC72A3DD19AC0643C1
                                                                                                                                                                                                                                          Function 00007FFAAB59AAE8 Relevance: 5.4, Strings: 4, Instructions: 402COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: }G$0pO$P~G$tO
                                                                                                                                                                                                                                          • API String ID: 0-3089263112
                                                                                                                                                                                                                                          • Opcode ID: fd3b16630d25d505c6a84cc69617668035b290e617b0978b849ce9512e4b281e
                                                                                                                                                                                                                                          • Instruction ID: 576e87edb12fcdaf759173fdf8217ff1cddad3c36bac79b3845e0ac232dd3d81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd3b16630d25d505c6a84cc69617668035b290e617b0978b849ce9512e4b281e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2B10A21A0DA4F8FFB95EB6C849977877D5EF56340F0484BAD44EC72A3DD16AC098780
                                                                                                                                                                                                                                          Function 00007FFAAB59DE20 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$J9E$plO
                                                                                                                                                                                                                                          • API String ID: 0-3249010378
                                                                                                                                                                                                                                          • Opcode ID: 361af486e01f34130cad0a8f21c5a135e9d601b709a01ae06fd49f2dc9fee277
                                                                                                                                                                                                                                          • Instruction ID: ba34862de1eef71cd1ff471b690a93ecbd5b408b397544fe0c3f55458ccbbdd0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 361af486e01f34130cad0a8f21c5a135e9d601b709a01ae06fd49f2dc9fee277
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95F1597161CB868FE759DB3C84565797BE1EF9A340F0441BEE08EC71E3DD29A80A8781
                                                                                                                                                                                                                                          Function 00007FFAAB5A4091 Relevance: 4.1, Strings: 3, Instructions: 325COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: }G$`oO$r6E
                                                                                                                                                                                                                                          • API String ID: 0-2040578635
                                                                                                                                                                                                                                          • Opcode ID: 2faf40b2cab835371512f32a18655de1e2109b807adcbdcb14d0a4cb556754ea
                                                                                                                                                                                                                                          • Instruction ID: 7b021019d86991c013e6170b1d42833d9c7752b0bc4f654f7923f57dc6853f99
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2faf40b2cab835371512f32a18655de1e2109b807adcbdcb14d0a4cb556754ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EB18271A15A0E9FEBA8DB68D8597A877B5FF55340F0041FED00EE3292DE345946CB40
                                                                                                                                                                                                                                          Function 00007FFAAB597DC8 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO$0DO$0DO
                                                                                                                                                                                                                                          • API String ID: 0-3543897194
                                                                                                                                                                                                                                          • Opcode ID: 4f6ebc40d959b9be9627fdfe7c99667c68baffcc6b03e31e5f649a24aecb6a2e
                                                                                                                                                                                                                                          • Instruction ID: 658ec26bfab3db9dd732a8a154811d4f902f55554d15af7e5f5d4d01e9e5ac1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f6ebc40d959b9be9627fdfe7c99667c68baffcc6b03e31e5f649a24aecb6a2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4591B271919A4E8FEB98DF68C855AADB7E5FF45380F04467AE00ED3293CF2568068780
                                                                                                                                                                                                                                          Function 00007FFAAB59CFC8 Relevance: 3.2, Strings: 2, Instructions: 692COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E$/E
                                                                                                                                                                                                                                          • API String ID: 0-1195910066
                                                                                                                                                                                                                                          • Opcode ID: 668d55e1013766f893c805d8f3af944574868e455c161850d192255064bcf3ca
                                                                                                                                                                                                                                          • Instruction ID: 36a81b8250d0d779cfaf088821749b79942fa1567cf7994322cc91cd853ef7fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 668d55e1013766f893c805d8f3af944574868e455c161850d192255064bcf3ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5722E630A1D7868FD759DB28849953A77E5EF8A740F14857DE4CFC31A3DA28E8078782
                                                                                                                                                                                                                                          Function 00007FFAAB5949C5 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO$`mO
                                                                                                                                                                                                                                          • API String ID: 0-2985722345
                                                                                                                                                                                                                                          • Opcode ID: 0811f82629971310053de76b85e94edd3ef00e2f72bacf90372e9a5b843c9612
                                                                                                                                                                                                                                          • Instruction ID: 23272c5c8207f35b6fac82e257881739d25724c6ec8c5d405359dc95b181cc37
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0811f82629971310053de76b85e94edd3ef00e2f72bacf90372e9a5b843c9612
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3BE1027180AB8E8FE795DF68C8596E97BB1FF06300F0445FAD44EC71A2DA396849C781
                                                                                                                                                                                                                                          Function 00007FFAAB5A06AA Relevance: 2.9, Strings: 2, Instructions: 412COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: H$d
                                                                                                                                                                                                                                          • API String ID: 0-989806989
                                                                                                                                                                                                                                          • Opcode ID: 4444cb64cc4fca1005d192229718baa5808d4b2680942763952b6828f54f30b3
                                                                                                                                                                                                                                          • Instruction ID: e1fa7a8e654b817332376b61155321e3d23f07983a80b6cda689fd130bbe78fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4444cb64cc4fca1005d192229718baa5808d4b2680942763952b6828f54f30b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EC12330A2DB468FE769DB18C449975B7E5EF96380B1885BDD04EC71A3CA34F8468BC1
                                                                                                                                                                                                                                          Function 00007FFAAB79B838 Relevance: 2.9, Strings: 2, Instructions: 394COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: WVSH$1_H
                                                                                                                                                                                                                                          • API String ID: 0-4266496363
                                                                                                                                                                                                                                          • Opcode ID: ce44f66103f92e7cabb602f711214aabe677abe8eea6d4be2a56dc88aa9d81b1
                                                                                                                                                                                                                                          • Instruction ID: 1561a296e8db57365d6f2cb67d9b7ab1a19bd71defddf3351902597bebd2e15f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce44f66103f92e7cabb602f711214aabe677abe8eea6d4be2a56dc88aa9d81b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29C1FA6290EA868FD3D6D72C84656A53BF1EF5B250B4844FAC04DCB6B3DD5A580A43C1
                                                                                                                                                                                                                                          Function 00007FFAAB5986DA Relevance: 2.9, Strings: 2, Instructions: 388COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G$p[G
                                                                                                                                                                                                                                          • API String ID: 0-1094101947
                                                                                                                                                                                                                                          • Opcode ID: a173fb13007a108a9e21150b8ec913a409e04cf4838e4b16fee19e9b759cb253
                                                                                                                                                                                                                                          • Instruction ID: a558bc7c1fbaf74381346e03bc3b918668130d11fd620f6e2e6e28a5ca4710f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a173fb13007a108a9e21150b8ec913a409e04cf4838e4b16fee19e9b759cb253
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DD1E731D0D64A8FD7A8DB64C8457E87FF5EF46390F0442BAD04ED71A2DA39184ACB91
                                                                                                                                                                                                                                          Function 00007FFAAB797458 Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E$AWAV
                                                                                                                                                                                                                                          • API String ID: 0-348769264
                                                                                                                                                                                                                                          • Opcode ID: 539a53767cd22ce2779d499eac20a88c838bf122d39a6e18e39390bd67f7511f
                                                                                                                                                                                                                                          • Instruction ID: 278db6c7c46dc1f7a95ae6cc6218ed93aca9dce978c0d5034546317bd6589bcd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 539a53767cd22ce2779d499eac20a88c838bf122d39a6e18e39390bd67f7511f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64A14731A0EA868FE799973C88695743FF1EF5B29070840FAD48DC72B3DD19AC068391
                                                                                                                                                                                                                                          Function 00007FFAAB7914A7 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UAWA$i-_H
                                                                                                                                                                                                                                          • API String ID: 0-508801235
                                                                                                                                                                                                                                          • Opcode ID: bf54ba2a9a23257024028602f532980879fad6b1b3c2592ce1306cb8c26e20bf
                                                                                                                                                                                                                                          • Instruction ID: d5aa06428ccfb86d37fe9452a3da86b7b395fdbe4a503d7a9abadfe62472d601
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf54ba2a9a23257024028602f532980879fad6b1b3c2592ce1306cb8c26e20bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36A13630A0AB4E8FDB98DF28C8415A977F1FF9A350F14426DD44EC72A5DA76A817C780
                                                                                                                                                                                                                                          Function 00007FFAAB790B98 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UAWA$i-_H
                                                                                                                                                                                                                                          • API String ID: 0-508801235
                                                                                                                                                                                                                                          • Opcode ID: eca7bce0dfc20e9fa7bf60e5fe740199826d53e55cb167c756a2fc26af23846e
                                                                                                                                                                                                                                          • Instruction ID: 67a0a97bebcb3ab0a7c78fd73e63c967f55d253bf97f7af6b4fba72291f73a54
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eca7bce0dfc20e9fa7bf60e5fe740199826d53e55cb167c756a2fc26af23846e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91A15A3190EA4A8FDF94DB2888415F97BF1FF9A350F1441BAD40DC76A2CE65A81A87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59F29D Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /V_H$8hG
                                                                                                                                                                                                                                          • API String ID: 0-2673873078
                                                                                                                                                                                                                                          • Opcode ID: cec63700e1069812ad81d8286fc2cda656af2ff24538edce21b3a0f57d9c1f4c
                                                                                                                                                                                                                                          • Instruction ID: 35f3cbd58eac96cdef445c4aae082aabeb7c610aed0ee5393d55d3bd683ca6da
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cec63700e1069812ad81d8286fc2cda656af2ff24538edce21b3a0f57d9c1f4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21A1A67191964A8FE7A8EB68D8896EC77B5FF55340F0041FAD00ED31A3DE3569868B80
                                                                                                                                                                                                                                          Function 00007FFAAB5A4804 Relevance: 2.8, Strings: 2, Instructions: 303COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: b4E$b4E
                                                                                                                                                                                                                                          • API String ID: 0-3606647801
                                                                                                                                                                                                                                          • Opcode ID: 3131413d4b9d4722cde94065d1ea7e0382b3a7a187ec2585385579b242ce03b7
                                                                                                                                                                                                                                          • Instruction ID: d2a31531e00cbe49725c2e93eca60d182246124c16b4afea10f327cc5ce13236
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3131413d4b9d4722cde94065d1ea7e0382b3a7a187ec2585385579b242ce03b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49916531A18B4B8FD758DB6CD4895B5B7D5FB92350B10867ED08FC31A3EE24E8468780
                                                                                                                                                                                                                                          Function 00007FFAAB599EF1 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0XO$:
                                                                                                                                                                                                                                          • API String ID: 0-1184459252
                                                                                                                                                                                                                                          • Opcode ID: 363a9fcdbbe7e8b8c932f28659cb251147dbf1d231df8592ac569e2fdfefa6bb
                                                                                                                                                                                                                                          • Instruction ID: 2b33e955213f36f7624e304fe80e90f07c87b1135305a44b7b5da12de8ea21a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 363a9fcdbbe7e8b8c932f28659cb251147dbf1d231df8592ac569e2fdfefa6bb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9412713A0D54A4FDB55B77CE8555F83BA5DF8A2A4B0841F7D48DCB0A3EC08988A87D4
                                                                                                                                                                                                                                          Function 00007FFAAB593048 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO$i\_H
                                                                                                                                                                                                                                          • API String ID: 0-2723029651
                                                                                                                                                                                                                                          • Opcode ID: 8bd8a7a1c69c087dbc36b668f527d838e30e8fab0f9914126639eea6cd3cc6a3
                                                                                                                                                                                                                                          • Instruction ID: 30f89b22e8926f2296f65e4b58f729beae7ba133e5b420b194a13bb14e5b743d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bd8a7a1c69c087dbc36b668f527d838e30e8fab0f9914126639eea6cd3cc6a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C141A471919A4E8FDB88DF58C8559EE7BF2FF99350F00457AE40AD3252CB35A845CB80
                                                                                                                                                                                                                                          Function 00007FFAAB59AF99 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: }G$tO
                                                                                                                                                                                                                                          • API String ID: 0-3082474318
                                                                                                                                                                                                                                          • Opcode ID: a20ec2f8384cbfbec6847e916d78d899d86ad6913ba40ea5ea174c4229a783f9
                                                                                                                                                                                                                                          • Instruction ID: 3dbf916e01c615a2a93d5fa9c163436a2507a130f1eaedbf0599ff6b56c2b91f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a20ec2f8384cbfbec6847e916d78d899d86ad6913ba40ea5ea174c4229a783f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12312A3190DB8E8FF795DB2888945B97BE4FF5A350B0445BFD44DC71A3DE2668098380
                                                                                                                                                                                                                                          Function 00007FFAAB59A020 Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HkH
                                                                                                                                                                                                                                          • API String ID: 0-2048587430
                                                                                                                                                                                                                                          • Opcode ID: d48015cb176b059f8f00a9000f6f53014649af925c36b0a2219bf2045acdceaa
                                                                                                                                                                                                                                          • Instruction ID: b54fb0d52a675be0f0ef1369986b57c3742dfcb3a65d869390073b958041af72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d48015cb176b059f8f00a9000f6f53014649af925c36b0a2219bf2045acdceaa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B502D97161DB8A8FE754EB28C4596BAB7E1FF99340F00457DD08EC72A3DE34A8458782
                                                                                                                                                                                                                                          Function 00007FFAAB5A43EA Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 0af518db0c4cb6a717ff37993218dceab1399a7404bfcb78370fefa4dbd0eb2f
                                                                                                                                                                                                                                          • Instruction ID: af0763e8aa7effece52fea97e9420ca3587c93866c7c7b95d845b227a130cd74
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0af518db0c4cb6a717ff37993218dceab1399a7404bfcb78370fefa4dbd0eb2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11C10030A1DB8A8FD768DB58C449535B7E5FF96380B1485BED08EC71A7CA25F8078781
                                                                                                                                                                                                                                          Function 00007FFAAB59E5B8 Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: c8a6be251536ca56bdd80935ace504ae09b1086ce665b8f917b8f402f13d3c6b
                                                                                                                                                                                                                                          • Instruction ID: 612218890bb316d3c3d17ea1a9ab8241c15debf68f69618c9959a50a9e091693
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8a6be251536ca56bdd80935ace504ae09b1086ce665b8f917b8f402f13d3c6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3C1EF30629B468FD768DB18D485936B3E5FF96350B18857DD08FC32A6CA35F8478B81
                                                                                                                                                                                                                                          Function 00007FFAAB5A3B08 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 33dfac89fd33220c201c77be867d16f2c1e4c2470be30b7193f28bae7af912dc
                                                                                                                                                                                                                                          • Instruction ID: 5baade13ddbedad545ce9e640fd28a2cc545e0ba94341d5dd584afd4e32d446e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33dfac89fd33220c201c77be867d16f2c1e4c2470be30b7193f28bae7af912dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6C1DD30618B4A8FD768EB58D445536B3E5FF9A340B148A7DD08FC36A6CA35F8478B81
                                                                                                                                                                                                                                          Function 00007FFAAB5A3A88 Relevance: 1.6, Strings: 1, Instructions: 366COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: a4ecd3f35343ab7c39a7bdad0e4724af55081b55e203290f7dd1a2acd98b27c6
                                                                                                                                                                                                                                          • Instruction ID: 8677004ae3441b29846e1e198f2cf68886444aaeb2a4471990b08a53539e3cc5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4ecd3f35343ab7c39a7bdad0e4724af55081b55e203290f7dd1a2acd98b27c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDB10131A1CA468BD628EB58D4455B6B3E5FF96354B1486BED08F831A3CA20B8478BC1
                                                                                                                                                                                                                                          Function 00007FFAAB593FFD Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: d333317c3b70bb552d4b33f1e5074254d08e43343cb86952d1bf0494c6de581c
                                                                                                                                                                                                                                          • Instruction ID: 824917a7831731da665f6a2b486f55052a1c2b273c5566b3d639486b592ed0ee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d333317c3b70bb552d4b33f1e5074254d08e43343cb86952d1bf0494c6de581c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FC11571C0E68A8FE7259B6498456E9BFB8FF43350F0442BAD04ED71E3DA29194AC7C1
                                                                                                                                                                                                                                          Function 00007FFAAB5A3B90 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: b4E
                                                                                                                                                                                                                                          • API String ID: 0-1742450236
                                                                                                                                                                                                                                          • Opcode ID: 987c63aa0b7eddad5f2efeda7363344a6d58eba6b37375ae25294940910d5a42
                                                                                                                                                                                                                                          • Instruction ID: ba1d0ed6ceed1c8cd2447169a53892d9d994784252e1269989531f57adabccac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 987c63aa0b7eddad5f2efeda7363344a6d58eba6b37375ae25294940910d5a42
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB91853061DB8A8FD758DB6C84895B57BE1EF86350F14867ED08FC32A3DE24B8068781
                                                                                                                                                                                                                                          Function 00007FFAAB79B3D5 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: AWAV
                                                                                                                                                                                                                                          • API String ID: 0-7688948
                                                                                                                                                                                                                                          • Opcode ID: d5cc16b4838e6c7a082578e0f305d64d4c669b050220b0a4e5f6ba08f062e6ad
                                                                                                                                                                                                                                          • Instruction ID: 046413b944d4ef17c51febb36fe543fb61439643f34bf817e8f3c6f777d0081e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5cc16b4838e6c7a082578e0f305d64d4c669b050220b0a4e5f6ba08f062e6ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A781D33070E9498FD7E9EB2CD45967937E0EF4A35071444FAD48EC72B2D916EC468781
                                                                                                                                                                                                                                          Function 00007FFAAB5A70A6 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: HkH
                                                                                                                                                                                                                                          • API String ID: 0-2048587430
                                                                                                                                                                                                                                          • Opcode ID: 325449f347085bd8a03e780e0b06a51378c89f48dd30594b1779aa240d33a252
                                                                                                                                                                                                                                          • Instruction ID: a94ff70ce71c0e058b352be94657bd3e56bef8f7517b37ad2e6328d94fffbc18
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 325449f347085bd8a03e780e0b06a51378c89f48dd30594b1779aa240d33a252
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7081DA7061CB4A8FE764EF28845967AB7E1FF99340F00857ED48DC7263DE34A8458782
                                                                                                                                                                                                                                          Function 00007FFAAB598A55 Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 5ef936f730c9b75ec3f033ef76063fbf4b77b95793768580458d9be096b7a026
                                                                                                                                                                                                                                          • Instruction ID: b54b81a5c65817deb8a6203bbaa64f22009e903837da007ed9003a6313bf09c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ef936f730c9b75ec3f033ef76063fbf4b77b95793768580458d9be096b7a026
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8891E37080E68E8FDB59DB6498556E9BFF4EF06390F0841BAD04EDB1A3CA391446C791
                                                                                                                                                                                                                                          Function 00007FFAAB5A9FA0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E
                                                                                                                                                                                                                                          • API String ID: 0-3969647439
                                                                                                                                                                                                                                          • Opcode ID: c8604f6637315d2aa37a2de2262660be954d7eb1cb3f51978c30cd9720280fb4
                                                                                                                                                                                                                                          • Instruction ID: e231e5c6241e1f27028f356ad8151170c540e3d22ca353feea19df07032708ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8604f6637315d2aa37a2de2262660be954d7eb1cb3f51978c30cd9720280fb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0710930A19B8B8FE76AD728849D57577E5FF5A340B0444BED08FD32A3DD28B8458381
                                                                                                                                                                                                                                          Function 00007FFAAB593175 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO
                                                                                                                                                                                                                                          • API String ID: 0-2831280591
                                                                                                                                                                                                                                          • Opcode ID: 730e1fd6ac4d9d80dfa9fdbeb270d85e8d52a1a8b19883f6c669477abf5a25e7
                                                                                                                                                                                                                                          • Instruction ID: ce6731b2f154f9dbf12bea72a1457d0e0412e25386c829ef9f97d5641efa1271
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 730e1fd6ac4d9d80dfa9fdbeb270d85e8d52a1a8b19883f6c669477abf5a25e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F71F17180DA8E8FDB55EFA8C8556E97FB4FF56340F0405BAD049D3192CB39A84AC781
                                                                                                                                                                                                                                          Function 00007FFAAB5905A0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 2a6d8a0d51b4711912be329166b531df62d918e7a29585eda62fb5f5a4ef396b
                                                                                                                                                                                                                                          • Instruction ID: c9d8e16c6fc7093ac95b1b17be538121047b957cb1269c63f23f52b50d429f25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a6d8a0d51b4711912be329166b531df62d918e7a29585eda62fb5f5a4ef396b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE617D71D0964ECFEB54DB98D8556FDBBB5FF4A340F10413AD00EE3292CA3968498B80
                                                                                                                                                                                                                                          Function 00007FFAAB59813C Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 0-3081909835
                                                                                                                                                                                                                                          • Opcode ID: be2c6579ad245f599f1181172426e2379f4545eb08998a1840fc124c2f454761
                                                                                                                                                                                                                                          • Instruction ID: 821ba09a5cd76dfbd3e051204702407e34cc4f62d03af3609eb79173a2ead310
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be2c6579ad245f599f1181172426e2379f4545eb08998a1840fc124c2f454761
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE817E71C0A65E8FDB58DB68C8557EDBBB4EF06340F1441BAD04EA32A2DA391949CB40
                                                                                                                                                                                                                                          Function 00007FFAAB5A4B60 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0pO
                                                                                                                                                                                                                                          • API String ID: 0-2342757507
                                                                                                                                                                                                                                          • Opcode ID: a5ab3e095fadec049d666706f3002a3845cecd0c46f487b6962ec5b087e6271b
                                                                                                                                                                                                                                          • Instruction ID: ceac3cb02d109bfe7bb54d5e939219b4f16b643925d918b4d53a0bad196ff188
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5ab3e095fadec049d666706f3002a3845cecd0c46f487b6962ec5b087e6271b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31510972A19D4A8FE7A8D76C9069BB937D5EF95380B0440BED04EC72E3DD189C4A87C1
                                                                                                                                                                                                                                          Function 00007FFAAB592EFD Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: P>^H
                                                                                                                                                                                                                                          • API String ID: 0-2558763356
                                                                                                                                                                                                                                          • Opcode ID: 2183891a40997d5e0c15bf4f5bc098935a3a6a6480161bedd25e5741d1df1dec
                                                                                                                                                                                                                                          • Instruction ID: d5c2ad6b9fbd951862d434816881023f918f42755e5e3afb2e366ff3cd35312d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2183891a40997d5e0c15bf4f5bc098935a3a6a6480161bedd25e5741d1df1dec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6461A070909A4D8FDB55DF68C845AED7BB1FF5A300F0401BAE04DD72A2DB399845CB81
                                                                                                                                                                                                                                          Function 00007FFAAB598AA5 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 00ab14a7e025f8b4f50b4ac997550a02f70f5f4280ba8157f768de75c06a51df
                                                                                                                                                                                                                                          • Instruction ID: 16a33f007045010fda2a94239d4d1f2b54732156265c082e8663d80a9ee3b8d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00ab14a7e025f8b4f50b4ac997550a02f70f5f4280ba8157f768de75c06a51df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F771F57080E68E8FDB59DBA898566E97FF4EF06350F0841BED04EDB1A3CA391446C791
                                                                                                                                                                                                                                          Function 00007FFAAB7A9FBD Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /E
                                                                                                                                                                                                                                          • API String ID: 0-3969647439
                                                                                                                                                                                                                                          • Opcode ID: 50deae584032be18d749fc3e9de6a359a19c71cd94aca94a0fcd1c0097fdcf37
                                                                                                                                                                                                                                          • Instruction ID: d2856bfd7e67b721dd5930df79806763613fa5b5ee2392fc85b6cf3fb726f98a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50deae584032be18d749fc3e9de6a359a19c71cd94aca94a0fcd1c0097fdcf37
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E512921A1FA8A8FE799532884683747BB0FF56350F5089BED04FCB1F2E95DA94943C1
                                                                                                                                                                                                                                          Function 00007FFAAB593C20 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: e07f30a1c623be1e0b787ce928344f8b8c0339328b01e8491c3d1a8b45810f21
                                                                                                                                                                                                                                          • Instruction ID: 85bfc84762fd2ef9a26d97bacbca79065def99ec024de3ce60ead8d06110be5a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e07f30a1c623be1e0b787ce928344f8b8c0339328b01e8491c3d1a8b45810f21
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C451BB71909A4D8FDB54EFA8D8456EDBBB1FF46340F00417AD44ED7292CB39684ACB80
                                                                                                                                                                                                                                          Function 00007FFAAB59D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^K_^
                                                                                                                                                                                                                                          • API String ID: 0-3349805252
                                                                                                                                                                                                                                          • Opcode ID: c05aefeb3749de9c4076fe06dfacfd183f19bb5c955825b20a4104b445c64cff
                                                                                                                                                                                                                                          • Instruction ID: f444596169270b4fbd2446ed4f8e6f73abe740bc20f988283ed2b550ccd71165
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c05aefeb3749de9c4076fe06dfacfd183f19bb5c955825b20a4104b445c64cff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D651D76394D7964FD302A77CE4661E87BB5DF4623470946F7C089CE0E3E91C288ACB95
                                                                                                                                                                                                                                          Function 00007FFAAB59E150 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 6E
                                                                                                                                                                                                                                          • API String ID: 0-2597168574
                                                                                                                                                                                                                                          • Opcode ID: 0ab1b23992d6a73c9bbbfe59ab25c830fe419ed1cddd97eff0c28941d295321b
                                                                                                                                                                                                                                          • Instruction ID: ef202ea99e8316e4dfdb0d1e156f7ae1477e2491c376fe25f42cf4f94653b6c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ab1b23992d6a73c9bbbfe59ab25c830fe419ed1cddd97eff0c28941d295321b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C415B7261CA468FE798E73CC05A2B93BD6EF9A340F0445BDC04EC72E3DD1868068780
                                                                                                                                                                                                                                          Function 00007FFAAB5984D8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 397a3423d274ab4eb7015c71622e85ae8eff0a5853eb3bcc46ce079eff472acc
                                                                                                                                                                                                                                          • Instruction ID: 8a8b6bd954df7821c742f405a35cdc80b7f0c263b0dbbad3b69bef34994007fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 397a3423d274ab4eb7015c71622e85ae8eff0a5853eb3bcc46ce079eff472acc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1551B37080DA8D9FD755EBA8C8596EDBFF0EF16350F0405BED08AD71A2DA351446C741
                                                                                                                                                                                                                                          Function 00007FFAAB792078 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 0-2852464175
                                                                                                                                                                                                                                          • Opcode ID: f42a2c5c3c963e8da9b3ca6fdf25328bc5c5dda2009f1c90ffdc841d30078d43
                                                                                                                                                                                                                                          • Instruction ID: 1ab15508e59730a46f0f64fd5b013942f09f6d43e636d3a1509bf53b0ecc2791
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f42a2c5c3c963e8da9b3ca6fdf25328bc5c5dda2009f1c90ffdc841d30078d43
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50415B3060AA4A8FD7D8EB6C84596793BE2EF9A24071441BDD44EC72B6DD25DC4BC780
                                                                                                                                                                                                                                          Function 00007FFAAB792016 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 0-2852464175
                                                                                                                                                                                                                                          • Opcode ID: 8a1419255961bb2a1db5118165a245aa3ab55d40de0cfc4959cb64540cd11c95
                                                                                                                                                                                                                                          • Instruction ID: efb5398eacc844f8ba102ab0a14edb92aa00192f9c79da79b40247b7960c1326
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a1419255961bb2a1db5118165a245aa3ab55d40de0cfc4959cb64540cd11c95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37414B3060EA8A4FD7D4EB7C84596793BE2EF9A24071841FDD44EC72B6DD29980B8781
                                                                                                                                                                                                                                          Function 00007FFAAB79574D Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UAWA
                                                                                                                                                                                                                                          • API String ID: 0-1492024814
                                                                                                                                                                                                                                          • Opcode ID: 251ba4fef35f192ce9f38fb90778fb1090f42a1673608b22cba69fa8a12d79ba
                                                                                                                                                                                                                                          • Instruction ID: cb5dbe130781fa4701d4b374efa0d2d62d48f3c7c5d713a0c7260774b86cc69a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 251ba4fef35f192ce9f38fb90778fb1090f42a1673608b22cba69fa8a12d79ba
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9414971D1DB1A8FEB98AB78E406AF977E1EF58350F10407AD40CD7192DD38A8868BC5
                                                                                                                                                                                                                                          Function 00007FFAAB79FC10 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UAVW
                                                                                                                                                                                                                                          • API String ID: 0-3038902782
                                                                                                                                                                                                                                          • Opcode ID: 2886879890128da47320e785e6ac28181f450bbb64f1d8783144bb2b76d2feb4
                                                                                                                                                                                                                                          • Instruction ID: b805e366d863f982e5fbf6a84ba80ed92d8d3b58fdada298e1d14b036131d520
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2886879890128da47320e785e6ac28181f450bbb64f1d8783144bb2b76d2feb4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58413C3160EA854FD795D76898547A67BF2EF86300F1880FAC44DCB2B6DA29A846C7C1
                                                                                                                                                                                                                                          Function 00007FFAAB5904FA Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 3ce25519fec26764909154cd42340f141d58547331abfb35fb78b85f40fb9195
                                                                                                                                                                                                                                          • Instruction ID: ae6f2f28dffbf69fbee028add251226bebb429ff582fab6140f2220d59500c11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce25519fec26764909154cd42340f141d58547331abfb35fb78b85f40fb9195
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72518D7090964E8FDB94DBA8D4857FD7BB5EF46350F10407AD00EE72A6CB791989CB80
                                                                                                                                                                                                                                          Function 00007FFAAB592FF5 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 66f94b22983f030b4fc6b490c39d67adc4b48ab8247682152fad3e15d12124ac
                                                                                                                                                                                                                                          • Instruction ID: a58cae0596df9880bcd143577e655bb245ca03c8af0aefbe4d3fa78f5a8b2041
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f94b22983f030b4fc6b490c39d67adc4b48ab8247682152fad3e15d12124ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E519B7190964E8FDB99DF68C8457FD7BA1EF56350F0040BAD00DD72A2CB396949CB81
                                                                                                                                                                                                                                          Function 00007FFAAB5935C0 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: XH
                                                                                                                                                                                                                                          • API String ID: 0-1717114539
                                                                                                                                                                                                                                          • Opcode ID: c000af04fd1dc450084862c40aeea7eb80881f003136b4589a1a053a20031cc2
                                                                                                                                                                                                                                          • Instruction ID: bb3b2d7e988322f422ed26adf7f442effbab5555ed6d605e99d4467890da16e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c000af04fd1dc450084862c40aeea7eb80881f003136b4589a1a053a20031cc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7141B66181E68A8FE355DB78D4A96B97FE0EF57250B0401FEC49ECB2F3D915180AC741
                                                                                                                                                                                                                                          Function 00007FFAAB793C20 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UWVS
                                                                                                                                                                                                                                          • API String ID: 0-2867323429
                                                                                                                                                                                                                                          • Opcode ID: 04a01db3c9e28d315971fafd739e4a229d8602a91306c6d52958c7def9a8810e
                                                                                                                                                                                                                                          • Instruction ID: 81143f03bcf4c8cd6b57912729da7195c04f2eece5f5921d0a2543eb1cde1a0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04a01db3c9e28d315971fafd739e4a229d8602a91306c6d52958c7def9a8810e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F412821D0BE0A8EEBE4D72884556B977E1FB9A790F014075D41DC33F2EE59A80E43C1
                                                                                                                                                                                                                                          Function 00007FFAAB5904F8 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: p[G
                                                                                                                                                                                                                                          • API String ID: 0-3967213495
                                                                                                                                                                                                                                          • Opcode ID: 4952525ec3ccdf1e32bf6fb17f22ec49b2e0cb701834a67672e6ea700d5eb828
                                                                                                                                                                                                                                          • Instruction ID: 41d03bdb5ee7d48202ded7afd6d32c8f7d8c71f9f607a38ec742fd70d739b7a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4952525ec3ccdf1e32bf6fb17f22ec49b2e0cb701834a67672e6ea700d5eb828
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2541AC7190965E8FDB98DF68D8857FE7BB1FF45350F00407AD00DA2292CB391989CB80
                                                                                                                                                                                                                                          Function 00007FFAAB793C8E Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: UWVS
                                                                                                                                                                                                                                          • API String ID: 0-2867323429
                                                                                                                                                                                                                                          • Opcode ID: 2aa4cb1da3f55b1b7d93348ca18c5603e4558193dfc08d0bbb6775b421a52bbc
                                                                                                                                                                                                                                          • Instruction ID: 38ad72a2fc31eb4b2b7ecc5e49af0fdcf114b0248b6d365840a094fbf8660760
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2aa4cb1da3f55b1b7d93348ca18c5603e4558193dfc08d0bbb6775b421a52bbc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA210525D0B94A8EFBE4972884552B477F1FF4A751F0540B6C41DC32B2DE59680D57C1
                                                                                                                                                                                                                                          Function 00007FFAAB594F67 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 0DO
                                                                                                                                                                                                                                          • API String ID: 0-2831280591
                                                                                                                                                                                                                                          • Opcode ID: 46e54af8fd92357157370a1ea3b63c640141819cff92410760ad05c0758f5ebf
                                                                                                                                                                                                                                          • Instruction ID: 37f453f1a2d2fee6ce108b51b738b373237d424fac9f974e9b75d477f7a4d3ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46e54af8fd92357157370a1ea3b63c640141819cff92410760ad05c0758f5ebf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9221D23091F68B8FE764EB6498597B9B7E4FF07380F4445B9C00EC72A3CE6A28058780
                                                                                                                                                                                                                                          Function 00007FFAAB59D260 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 81cd6932149a0681eb645d68890c4201e05ed66ed93604cb0116f098ba75623e
                                                                                                                                                                                                                                          • Instruction ID: 0e8a7be36fbd53dec49d8e7a6f150e61c6558566fd8046a0dc28b55ac5023e49
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81cd6932149a0681eb645d68890c4201e05ed66ed93604cb0116f098ba75623e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 430207A2918A4A8FE794EBA8D4557FDBFE5FF56350F0441BAD00EC31D3DD2828468B81
                                                                                                                                                                                                                                          Function 00007FFAAB592F50 Relevance: .5, Instructions: 474COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d230dc365be0da0094ad437e23b958bf6d1abe11898866fb51a73f2c0e90da1
                                                                                                                                                                                                                                          • Instruction ID: e1ae973bf53183bbfcaddeded0fab19632650971f6a82e571de88bede12d9834
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d230dc365be0da0094ad437e23b958bf6d1abe11898866fb51a73f2c0e90da1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83E1043190A65E8FDB64EB28D8106F9BBB4FF46394F0001BAD40DC7193DB35AA59CB85
                                                                                                                                                                                                                                          Function 00007FFAAB5A31A0 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63f55f2aae87e01ffe6f1180e7c017eacf5262b9ed3cb8c933346a80fcdc62de
                                                                                                                                                                                                                                          • Instruction ID: bc66203884e41217c29bf57766be9c1582986211f9c9ef228d190d2c486672bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63f55f2aae87e01ffe6f1180e7c017eacf5262b9ed3cb8c933346a80fcdc62de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5C14322B0DD0A4FE794B72CA8597B937C5EB9A390F0441BAE44ED72E2DE189C4647C1
                                                                                                                                                                                                                                          Function 00007FFAAB59D9E9 Relevance: .4, Instructions: 437COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f64f4e456c767a301d0cdbec523dc73290550f3e15e0925c23f56b72150c6f1e
                                                                                                                                                                                                                                          • Instruction ID: 74447ba6ed24b23c227077da391bf340530764d5936ef36946ce31f77f07d2ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f64f4e456c767a301d0cdbec523dc73290550f3e15e0925c23f56b72150c6f1e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94D16A3160DB4A8FDB54DB18D445665BBE1FFA6350F04427ED04EC72A2DE26E84ACB82
                                                                                                                                                                                                                                          Function 00007FFAAB5972A8 Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 14aac014f6633634506a06eedd78eb9e39acccb213de3c5de0c9005ab226b072
                                                                                                                                                                                                                                          • Instruction ID: ccdcc0994f38c4db6fc51f830a6101d42f1bd553ee2eaa21d74534d9a6fbaf84
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14aac014f6633634506a06eedd78eb9e39acccb213de3c5de0c9005ab226b072
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87E18070D09A5E8FDB94EB68C495AEDBBF1FF5A300F0441AAD00ED72A2DB356845CB40
                                                                                                                                                                                                                                          Function 00007FFAAB59D469 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c281bad18ac1f4aae717a5682dd225abb9c924a34f563d41d68078e3ee802205
                                                                                                                                                                                                                                          • Instruction ID: ef895feb22822caafdad15dc34b5ffc7005718daf3977db6d8673d70d8d97ca2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c281bad18ac1f4aae717a5682dd225abb9c924a34f563d41d68078e3ee802205
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46D1F7B1A18A498FE794EBA8D8557FCBFA5FF56340F1441B9D00EC31D3DE2828568B81
                                                                                                                                                                                                                                          Function 00007FFAAB7A388D Relevance: .4, Instructions: 413COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1551df00f4037a67c868a6742f66055156ab668fc87ed28d52902e759455ba3
                                                                                                                                                                                                                                          • Instruction ID: a297478d595805f794f737fbd822f6483b49b82490d55a50120e50c00368b230
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1551df00f4037a67c868a6742f66055156ab668fc87ed28d52902e759455ba3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41C1706151EB8A8FE7D89B2884166B97BE1FF56340B0445BEE44EC71F3DE64AC0683C1
                                                                                                                                                                                                                                          Function 00007FFAAB59A840 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 33b7035805105766baa6b18a47f5697c785ea90cd7726be88cfc712e4f38036e
                                                                                                                                                                                                                                          • Instruction ID: ad7797a47f2915f89d24afc0ba3a7d678013254724ef609deb3a943aa6f0dab8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33b7035805105766baa6b18a47f5697c785ea90cd7726be88cfc712e4f38036e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95B1BA9390FAC78FF35653BCE8551B8BF6AEF462A4B0842F7D04D460E7D809940E46E6
                                                                                                                                                                                                                                          Function 00007FFAAB590900 Relevance: .4, Instructions: 362COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c093a0431dd77a6ec9202bbf3dd172d8d1ce5243b6eae8275651b4c3c30752e
                                                                                                                                                                                                                                          • Instruction ID: a5fad983a2e1f62041602f36d547e51e3a4b592fedcf899141640308edbc5d2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c093a0431dd77a6ec9202bbf3dd172d8d1ce5243b6eae8275651b4c3c30752e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AC1F571C0E68ECFEB59DB2488456E97FA5EF56340F0041B9D05ED72A2DB39680DC781
                                                                                                                                                                                                                                          Function 00007FFAAB59B900 Relevance: .4, Instructions: 357COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 675c8ebc8273cabc0ef73d34e76a467920cf1d370680295e626310a2c2ce9d31
                                                                                                                                                                                                                                          • Instruction ID: 660751e4decd0426bdd4205819a506741946d38a98ff653e2e87f8d683382428
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 675c8ebc8273cabc0ef73d34e76a467920cf1d370680295e626310a2c2ce9d31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DB16A6160EA4A8FDB95EB2CD4516B57BE5EF4A350B0481FEC04EC71E3D91AA84AC381
                                                                                                                                                                                                                                          Function 00007FFAAB599F9D Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ce772675339ffe2d442d26065095c1e7b434db98096b65f45255370c2007d43
                                                                                                                                                                                                                                          • Instruction ID: 9bb09a43c8dd5d8b16c4d5d0d023f87648ef5bae9fee97f7ada3ab28156c161b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce772675339ffe2d442d26065095c1e7b434db98096b65f45255370c2007d43
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03A15B52A1EFC68FE7A5937C985A1B53FD5EF5A19070845FAD08DCB1A3FC045C0A8392
                                                                                                                                                                                                                                          Function 00007FFAAB5A5AE0 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6e591c999dea39800afee1ce5575a72560c861e1404db94f673e055526cf3bb8
                                                                                                                                                                                                                                          • Instruction ID: 2f57ed94046dbf02f3395b17a7f86be7ab0291fc6ea8cba70239c5e3aad2937a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e591c999dea39800afee1ce5575a72560c861e1404db94f673e055526cf3bb8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 477123A2B1ED4B8FF2A5965C346C57427C4EBAA292B50807ED48FD32E6DD188C0E43C0
                                                                                                                                                                                                                                          Function 00007FFAAB5A25F2 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc5796a407135cc80464dc953fb33787be687777d586184481bef7f50a2a9e4b
                                                                                                                                                                                                                                          • Instruction ID: 7ad3adc0ba7100fa53fd50d4f9933bfb50b6a67eeeee8677d2f0656e43ddadab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc5796a407135cc80464dc953fb33787be687777d586184481bef7f50a2a9e4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49813632A0DA1F4FE750BB2CE8469F97795EF953B5B00463BE00ED3193CD25A44A8AD0
                                                                                                                                                                                                                                          Function 00007FFAAB791017 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 951abe409192fd81cb7e348ff3d7ab11497f9040b69414df8d9557be019c0d04
                                                                                                                                                                                                                                          • Instruction ID: 01137ab7b07de0798e32ada8eed1a781720337fb72cd1bc744fa64f2fba53c46
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 951abe409192fd81cb7e348ff3d7ab11497f9040b69414df8d9557be019c0d04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74912531A0AB4E9FDB98DF28C851AA977F1FF96350F14426DD44DC72A1CA72A816C7C0
                                                                                                                                                                                                                                          Function 00007FFAAB59A7D3 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c5a0da121654dff9027eeccbdf937051747a754bd635d78dff536ecfe32ca8e
                                                                                                                                                                                                                                          • Instruction ID: c1ec3d73a083add057c506ed7ed6f98bf39c0adf81b35680713ff2088dba482a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c5a0da121654dff9027eeccbdf937051747a754bd635d78dff536ecfe32ca8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1812A9390EAC34FF65177BCE4414F87B69EF463A4B0886B7D04E460E7DC09A44A4AE5
                                                                                                                                                                                                                                          Function 00007FFAAB5CEA10 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bb78b0f49e4470a5c2c4d265811b00f9a3bd0cca07b92ce9a82da9f14978706
                                                                                                                                                                                                                                          • Instruction ID: e3c1854e89e034de17837fea42778a14f3e0f5bb5103e1000eac6f8e65d33584
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bb78b0f49e4470a5c2c4d265811b00f9a3bd0cca07b92ce9a82da9f14978706
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2813531A0DB0A8FEB69DB18D8856B573E6FF9A314F04417DD04FC32A3DA25B8468781
                                                                                                                                                                                                                                          Function 00007FFAAB594610 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6c88915f623b53bf0f14be7a4971f1afb2eaae294c11e0fb8e9fcd979a78c7f
                                                                                                                                                                                                                                          • Instruction ID: 78a8c4ee4825f5fa60bbc82d1a15d2e18133941f1fb65693fd08d06136905979
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6c88915f623b53bf0f14be7a4971f1afb2eaae294c11e0fb8e9fcd979a78c7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0691F471919A8E8FEB94EF68C855AEDBBF1FF59300F0441B9D009D72A7DA349806C780
                                                                                                                                                                                                                                          Function 00007FFAAB5970FB Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bc4b4e580332a650b5142f972f9d15ef7f5c2a3665383d2e9c4eca0fbc5389fa
                                                                                                                                                                                                                                          • Instruction ID: 2bb39267cd0cbb4ffffbf3442964873ccfd0a97c175165aa372be5dc0f970557
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc4b4e580332a650b5142f972f9d15ef7f5c2a3665383d2e9c4eca0fbc5389fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE611523A0992A8FE754B76CF8856F96B95EF89370F0442B7E00EC7193CE14584A47D4
                                                                                                                                                                                                                                          Function 00007FFAAB59A0F3 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: df8b772b757e6d2b952a70aef5dcd0bf905ced66da5c3320fcd91b1995d2389c
                                                                                                                                                                                                                                          • Instruction ID: 4f6340bf76a6b7ef2fc12a40eeadcc0428d2262fad710c0831d47d9dae0fcbee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df8b772b757e6d2b952a70aef5dcd0bf905ced66da5c3320fcd91b1995d2389c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA815B7280D6C59FE716A77CE8A64E57FB4EF1622470801F7D08DCB0A3ED09544A8B96
                                                                                                                                                                                                                                          Function 00007FFAAB5A3B68 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ca48f33d0e18c940bed87bef86f4d3be9c98e39e1f5670fdc37522b50deec3c
                                                                                                                                                                                                                                          • Instruction ID: 64e957bf8794187e38c663a1c51e0efb3e99c0b9e5caf14d5b67eae9d08bd32c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ca48f33d0e18c940bed87bef86f4d3be9c98e39e1f5670fdc37522b50deec3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5371103020DA4A8FD75ADB28D889E7177E0FF5631071486BDD08EC72A3DA25F846C781
                                                                                                                                                                                                                                          Function 00007FFAAB79E396 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3faf5949aea6795a351856506a4ee8e7bb4b863623360eb797b027879344bbb2
                                                                                                                                                                                                                                          • Instruction ID: de65c322d5e14390d043cf27a34ba3d87688758c22d69086746c86e3b43741b5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3faf5949aea6795a351856506a4ee8e7bb4b863623360eb797b027879344bbb2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8471387060FA4A8FEBA8DB68C45697977E1FF95340B5041BCE00EC71F2DD65A80A87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59EA15 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb260c9b17fb328ee95b5384f5ad50afdc4cd1391b16eea3ecbc880adb30b769
                                                                                                                                                                                                                                          • Instruction ID: b630599c255f48d4f88b3d89c9e295e5e8bb5dd140eff4b4045c6560231fa2f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb260c9b17fb328ee95b5384f5ad50afdc4cd1391b16eea3ecbc880adb30b769
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A51206270EE8A8FE3A4977C54592B57BD5DF9A29071885FBD04EC71B3EC049C0A83C1
                                                                                                                                                                                                                                          Function 00007FFAAB59A015 Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 508ab3609f33473418437b96f6ffdeff43428568c042173c8bccc591b1231554
                                                                                                                                                                                                                                          • Instruction ID: 60d9eadd8e0eb0c65b3e9f1a2c7416e112d2552ccefec2cefaac1577b7a5c4dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 508ab3609f33473418437b96f6ffdeff43428568c042173c8bccc591b1231554
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21615B6291CF86CFE6A4DB18D05D77AB7E1FF99380F04457DD04EC3192DE28A8468782
                                                                                                                                                                                                                                          Function 00007FFAAB5939F9 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 808e6a09352adfbc8c70a1c3ac2f610fc0b317dd8203b803740e7c87239a3b9d
                                                                                                                                                                                                                                          • Instruction ID: e3b18e528d23877e8b6a03db8a09511e9470f6e9b0dcfb2cb11bfd1b8a7dd692
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 808e6a09352adfbc8c70a1c3ac2f610fc0b317dd8203b803740e7c87239a3b9d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A71F07180E7CA8FD752DB78C8555EA7FB0EF4B210F0841EAD489CB2A3C6295549C792
                                                                                                                                                                                                                                          Function 00007FFAAB594667 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 24ca825221ca39e10f54b4fa542d780c55531fdc410895e8902b078ea7e681b1
                                                                                                                                                                                                                                          • Instruction ID: b415e15089eb606e7c16c572be99575273681711ed5f0b2857fae5fc0d250e65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24ca825221ca39e10f54b4fa542d780c55531fdc410895e8902b078ea7e681b1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7281B470919A8E8FDB84EFA8C855AEDBBF1FF59300F1441B9D409D7297DA349846CB80
                                                                                                                                                                                                                                          Function 00007FFAAB598D32 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67b022aaf59a47ba0b7e95a9541bc70ea6c7417b140799f5c3d07fdcd126bad7
                                                                                                                                                                                                                                          • Instruction ID: 2a176cabd831fe071da9ebe97b727a87240b76e21eb963ad65387dbf45f75a47
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67b022aaf59a47ba0b7e95a9541bc70ea6c7417b140799f5c3d07fdcd126bad7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D071A07080E68D8FDB95DBA8C855AED7BF1FF5A340F1441AED04ED72A2CA395846CB40
                                                                                                                                                                                                                                          Function 00007FFAAB5A5719 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6be5ceb5addf67e0c5c26369cb368401331ea5613819dd19b7f750e17e5f4d6c
                                                                                                                                                                                                                                          • Instruction ID: 1b2afe39a8e918517d30887e459e201080f48adf9c757b2e5c5598babc632f7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6be5ceb5addf67e0c5c26369cb368401331ea5613819dd19b7f750e17e5f4d6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4051A0B190DA8A8FF794D76CA4199F87FE1EF96390B0441BEC04ED71A3DD18684A83D1
                                                                                                                                                                                                                                          Function 00007FFAAB59512C Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5f7ec859aa572d58db525bc0f65c57d7d6917608cc613d30048e7bc1f8fad774
                                                                                                                                                                                                                                          • Instruction ID: 255d70f2bb3ff681298c6a7bcdb53409baa76caf0872463fa8556ea3140d1da4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f7ec859aa572d58db525bc0f65c57d7d6917608cc613d30048e7bc1f8fad774
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC51657080E78D8FDB52DB74D8665EA7FF0EF56310F0401EBD049D71A2C629649AC782
                                                                                                                                                                                                                                          Function 00007FFAAB5A3BA0 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5e78d563651282716b9c90d417e47191e55117445ab7902324bed4f4976c6792
                                                                                                                                                                                                                                          • Instruction ID: 6f2f9b7f5a96f7f39dd93498c694337fcaed66a513b999d266eef9dbb297631f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e78d563651282716b9c90d417e47191e55117445ab7902324bed4f4976c6792
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45512330619A0A8FD759DB1CE888A7177E4FF9A350B14827DD44ED32A3DA35F84687C1
                                                                                                                                                                                                                                          Function 00007FFAAB5A1E08 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cc60cd4072e7ae43a51af9a4898dcbf233c41597db82c7a90e087d39c1b3958
                                                                                                                                                                                                                                          • Instruction ID: 2194301d4b7aabbbd0a8694a111029a9ffa917d0be928e2f624de3b6a9bc9009
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cc60cd4072e7ae43a51af9a4898dcbf233c41597db82c7a90e087d39c1b3958
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A614071A19A4A8FDF94EF28D455AAD3BE1FF69340F444169E40EC72A2CB34E845CBC1
                                                                                                                                                                                                                                          Function 00007FFAAB59E648 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f75aa46821a1ec0f48960dcc6d3eac86ef1fe9ff30c5d4367b5bb1b8aa6d8e51
                                                                                                                                                                                                                                          • Instruction ID: 9138081d8c90ff79b703981553c9cafc613a76b3297bce787359521b36716e42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f75aa46821a1ec0f48960dcc6d3eac86ef1fe9ff30c5d4367b5bb1b8aa6d8e51
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2516630629A0A8FD759DB1CD889A7177E4FF96350B14867DC44ED3262DE35F8878381
                                                                                                                                                                                                                                          Function 00007FFAAB59E937 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78dc5102c1b68678a99114b7d12a90d892691cd1ae1831768b73d60862437bd5
                                                                                                                                                                                                                                          • Instruction ID: b41ac3087fbe2b229a7cffa63712f551fec1eba184329a00c869be636a7321b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78dc5102c1b68678a99114b7d12a90d892691cd1ae1831768b73d60862437bd5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3451096160E6C68FE755D73C98695B53FE5EF47290B0884FED48ECB1B3E9185C0A8381
                                                                                                                                                                                                                                          Function 00007FFAAB791049 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 786bbf6629386b62966c3fde57585718fb1014017aad56c86b789239e4aa1829
                                                                                                                                                                                                                                          • Instruction ID: 0815f93848706ee8a495c9ea598993da031c281f2f775ac177c2ed562bd79a70
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 786bbf6629386b62966c3fde57585718fb1014017aad56c86b789239e4aa1829
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF51083090EB8A9FDB98CF28C4519A97BF1FF96310F14416ED44DC7266CA75A816C7C1
                                                                                                                                                                                                                                          Function 00007FFAAB797450 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ef3b13b5cbcddf096382d9f4a3da81aa0cb05404f69285ab7343a5c33d86e1fa
                                                                                                                                                                                                                                          • Instruction ID: 14efb2d09959cd3ae368236cd3920708482c654142d51db6201cd66fad1759f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef3b13b5cbcddf096382d9f4a3da81aa0cb05404f69285ab7343a5c33d86e1fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71510721B1DA498FD794FB7CD899AF83BE1EF4A21070445F6D08DC71B3DE19A8468781
                                                                                                                                                                                                                                          Function 00007FFAAB59A848 Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 03fe268207ba7bc1f7e1a1a9b6816a96d43e82cd4cc85bdc193968094e210c98
                                                                                                                                                                                                                                          • Instruction ID: cb22d1e8a7cbc343eb1c5f5be2e7301634b9c206218ffb16b967bf0dc11eea0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03fe268207ba7bc1f7e1a1a9b6816a96d43e82cd4cc85bdc193968094e210c98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C51DC83C4FAC38FF35663BCE4115B86B99AF56394B0C86F7D04E460E7DC09A44A46E6
                                                                                                                                                                                                                                          Function 00007FFAAB595DB0 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c418e285f60d85b04893fd686a1d1a8dac66abac1447419ce99b9c6bc65a835c
                                                                                                                                                                                                                                          • Instruction ID: b2a0b35bcc9213ac62e5f9a20a9bcaca5825c046ea74564c1ac610fbc36be00c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c418e285f60d85b04893fd686a1d1a8dac66abac1447419ce99b9c6bc65a835c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7961AD70D09B8D8FDB55EF68D8856E9BBF0FF5A300F0441AAD44ED7252CA35A846CB81
                                                                                                                                                                                                                                          Function 00007FFAAB596451 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63baa73af2ff535c47a9bf8de8bf7a64076782c07d8117fad0b90ed9790f54e4
                                                                                                                                                                                                                                          • Instruction ID: bbabf5c412b9b4835f68b18941888009c8fa63288a757c070e37c3ee05c22184
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63baa73af2ff535c47a9bf8de8bf7a64076782c07d8117fad0b90ed9790f54e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20613D30D0D65ACFDB98DB64C4957BCBBB5EF16340F5484ADC01EE7292CA396889CB40
                                                                                                                                                                                                                                          Function 00007FFAAB5A1E6D Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0d35c60cc8e68a2e375a8d5cd01b05a298ee372abaab6cad133675de0a14fb5e
                                                                                                                                                                                                                                          • Instruction ID: 3178d93ae0e381722e270d2c2ea4bda4384cf9e625c5994a90a67c5fc4b65db9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d35c60cc8e68a2e375a8d5cd01b05a298ee372abaab6cad133675de0a14fb5e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D512C70A19A4A8FDF94EF18C495AAD7BE1FF69340F04416AE40ED7262CB34E845CBC1
                                                                                                                                                                                                                                          Function 00007FFAAB5A1D60 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b145a5da7d99ab45703ffb5143063b22491fb9b3284c015fc4ca5d8f6b374870
                                                                                                                                                                                                                                          • Instruction ID: 31b1c309eb4db363b868f2fc93255e8b451a03197d0cb2ecaf94204a700732ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b145a5da7d99ab45703ffb5143063b22491fb9b3284c015fc4ca5d8f6b374870
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60517131A18A0E8FDB98EF18C4566BA77D5FF99390F10457EE40ED3292CE35A90587C1
                                                                                                                                                                                                                                          Function 00007FFAAB592F45 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 328f4a9512f0a1b46a29f0acb032e4ececb7e2a4916d70c513e30b6909222763
                                                                                                                                                                                                                                          • Instruction ID: c478a580973cbca06abc9014c2a18f8c74ff26fe3c95c2c9c87790691398de55
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 328f4a9512f0a1b46a29f0acb032e4ececb7e2a4916d70c513e30b6909222763
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7511570909A5D8FDF95EF68C454AEEBBF1FF5A340F10416AD40DE3252DA35A845CB80
                                                                                                                                                                                                                                          Function 00007FFAAB59382E Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bb9dcc9b961c03e909c6a8fa52c1605a9a207f24ebddd1898302fedf4f162b8b
                                                                                                                                                                                                                                          • Instruction ID: fd649934375832226cd20b5bc7c99ea089c6f16265b9619e4b1325995fc99b87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb9dcc9b961c03e909c6a8fa52c1605a9a207f24ebddd1898302fedf4f162b8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F51F17180E689CFDB81DBA8C8556EDBFF4FF4A310F0400AAD08AD72A3DA295405C781
                                                                                                                                                                                                                                          Function 00007FFAAB5A1DD0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 024847a84de1cc80c110d214274dfed6951c6e1e42b9ef6768e482953e0dc0fb
                                                                                                                                                                                                                                          • Instruction ID: e7561c7415df22338e23f7d138434467c0b4c57e502da5e7e8b7e64f635048cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 024847a84de1cc80c110d214274dfed6951c6e1e42b9ef6768e482953e0dc0fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64512A31A1DB4A8FE7A4DB1C644667677D2EF99350F54423EE48FC32A2DF24A80643C2
                                                                                                                                                                                                                                          Function 00007FFAAB7AAF4D Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e80c0524dbe353e36cb9172216875602396fb1763dc791b84e4c95c7e2d87ead
                                                                                                                                                                                                                                          • Instruction ID: 1a5e8d6e0246574208d5d3682c9094b1567f073a172284f594ded0fa01b73839
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e80c0524dbe353e36cb9172216875602396fb1763dc791b84e4c95c7e2d87ead
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42417B62A0EA894FE7A9971C58555FA3BE1DF96260F04407FD04DC31B3ED56A80B43C1
                                                                                                                                                                                                                                          Function 00007FFAAB595B6A Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c23607c3adde98c887aef964eec42b61913c1c11186b2d3b447ad5d41da65b13
                                                                                                                                                                                                                                          • Instruction ID: 1f5380ca87298169801db06a0bf9de6a11924e673ef51b6ed61440ec00079bc4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c23607c3adde98c887aef964eec42b61913c1c11186b2d3b447ad5d41da65b13
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF51BF3080E7C98FD756DB748869BE97FF0EF47250F1841EAD089DB1A2CA29488AC751
                                                                                                                                                                                                                                          Function 00007FFAAB5A5220 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3acb186fff85836e12fb2d3261d35e27dda7497ecd8f2cd832eac76918835fc7
                                                                                                                                                                                                                                          • Instruction ID: b474f382884ac8a0d3cc35f2d8835733420da62099859060c10992ed47467f45
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3acb186fff85836e12fb2d3261d35e27dda7497ecd8f2cd832eac76918835fc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC41F57270DE0B8FEA98A61CB44AA7573D5EB86370B50417EE40EC7257ED15EC4683C0
                                                                                                                                                                                                                                          Function 00007FFAAB7937F8 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa3c63dcb0114df5c32d9f124e3893333e35f20bc854e3b07ad1dca369489bb7
                                                                                                                                                                                                                                          • Instruction ID: 71fadf4ee46c854c6150af95c8b0bba4ce2e45f8ffe9a6524c8e404c1c39a651
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa3c63dcb0114df5c32d9f124e3893333e35f20bc854e3b07ad1dca369489bb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5241197191DF1A8FEB98AB68E406ABA73E2EF98350F10407AD40DD3192DD34A84287C5
                                                                                                                                                                                                                                          Function 00007FFAAB79E352 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 527b173ba61bf2ea53b781697acd2c41d12848cb9606e2336b74e1d7aa940a46
                                                                                                                                                                                                                                          • Instruction ID: e8fbb8add109e0612eef35834d972bb616f03d882c8c178be2a61124d46b0a2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 527b173ba61bf2ea53b781697acd2c41d12848cb9606e2336b74e1d7aa940a46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1551C27060F6459FE365DB74C45ADBA7BB1FF86200B6444FCD04B8B1B2D92AA806C780
                                                                                                                                                                                                                                          Function 00007FFAAB79E35E Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 527b173ba61bf2ea53b781697acd2c41d12848cb9606e2336b74e1d7aa940a46
                                                                                                                                                                                                                                          • Instruction ID: e8fbb8add109e0612eef35834d972bb616f03d882c8c178be2a61124d46b0a2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 527b173ba61bf2ea53b781697acd2c41d12848cb9606e2336b74e1d7aa940a46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1551C27060F6459FE365DB74C45ADBA7BB1FF86200B6444FCD04B8B1B2D92AA806C780
                                                                                                                                                                                                                                          Function 00007FFAAB595708 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b68803c6c5340499d0dd8aef8d40b03566df4f8aff238275317e1220616b7b22
                                                                                                                                                                                                                                          • Instruction ID: 29f9d5b21b61665d7283df51e43e8a7ad1583084a17302557a904b0cc32cbe39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b68803c6c5340499d0dd8aef8d40b03566df4f8aff238275317e1220616b7b22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F51D47180E74D8FD755DF68D4556ECBBB1FF4A340F1404BAD04AD72A2DA7A6809CB80
                                                                                                                                                                                                                                          Function 00007FFAAB5A3520 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 876682d7187fa26fb161f94fff403ce829dae47cc9338f87eb97c508ebb2e1d2
                                                                                                                                                                                                                                          • Instruction ID: 61d9a4f01c9f61c59e8f971a1ed77d4b4acb1045468ac604a84d3758896aa128
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 876682d7187fa26fb161f94fff403ce829dae47cc9338f87eb97c508ebb2e1d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD516DA190DA8A8FEF98DF6CD8596BD7BF1FB59344F0440BAD009D7197CA2498098780
                                                                                                                                                                                                                                          Function 00007FFAAB5AAB39 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a1f471c4f6398b9510522ca4a3021a7837b18219f30f8f9ae7d9cc89b8cd34f7
                                                                                                                                                                                                                                          • Instruction ID: 85f894322536c27bb356910a23d39397204ce124a9750a8fb7fae793c607d1ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1f471c4f6398b9510522ca4a3021a7837b18219f30f8f9ae7d9cc89b8cd34f7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C651C67090965E8FEB58EFA4C4956ECBBB1FF59300F50406AD00EE7292DB39A985CB40
                                                                                                                                                                                                                                          Function 00007FFAAB797460 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5539de0413440a3e374ca67c272951e1097d6735df108dd27ec048fc903a2fcc
                                                                                                                                                                                                                                          • Instruction ID: 29252737f37adfe4dc20bbd93290ca96e39e93d69fe8ecb87d8a507175946d5e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5539de0413440a3e374ca67c272951e1097d6735df108dd27ec048fc903a2fcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80412631B1E9098FE7EC972C644A17937E1DF9A2A1704427FD40EC32B3DC56AC4682C1
                                                                                                                                                                                                                                          Function 00007FFAAB59A0DD Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b9f61a12f7252fb63e73c2bccf37e063364aebe772e9cda25fb162cf41dc8132
                                                                                                                                                                                                                                          • Instruction ID: fd48157df23bf9ede142382b2032173687cc228a9d495547725c9a3adf7faa12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9f61a12f7252fb63e73c2bccf37e063364aebe772e9cda25fb162cf41dc8132
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6931D53171D9198FEAA8AB2CA45DAB53BC5FF9939170400BEE44EC72B3EC159C4683D1
                                                                                                                                                                                                                                          Function 00007FFAAB5A1D58 Relevance: .2, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2f1c3ba36e5ae5432080a378b94a76c166943076a6579335d261970f923de0d5
                                                                                                                                                                                                                                          • Instruction ID: 99a90521e97051af727a66cab5f98fe9b0801152025d8a405f7a4fbba8e4dbea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f1c3ba36e5ae5432080a378b94a76c166943076a6579335d261970f923de0d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32417271A08A0E8FDB94EF28D4495BA77E5FF99390F00457EE40FD3292CE25A9458BC1
                                                                                                                                                                                                                                          Function 00007FFAAB59AE30 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5da154685379f0d7bbba050a2a65974adaa1c04b9565390859bc9cc7143198c6
                                                                                                                                                                                                                                          • Instruction ID: cbae7d33ca5fd11bd8ef5fc906ed2a5ddf0f6abdfd9c4a2bf531dce8ab749d7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5da154685379f0d7bbba050a2a65974adaa1c04b9565390859bc9cc7143198c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412661A1CE8B4FEB98DB2CD4556B533D5FFD9390B0441BAE00EC32A7ED19E8068391
                                                                                                                                                                                                                                          Function 00007FFAAB79183B Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b11603116b0c144ee13c4daabfda9ba18d3b572038f030723c37c25a482c10eb
                                                                                                                                                                                                                                          • Instruction ID: b0a5519a3720773899730651911e680e5978c43f4b914b81a38c8185b71f447b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b11603116b0c144ee13c4daabfda9ba18d3b572038f030723c37c25a482c10eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1041682190FA8A9EEBE4D73844457F977E1EF9A3A0F008175C40DC3AB2DD66A81E57C1
                                                                                                                                                                                                                                          Function 00007FFAAB79136E Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9cbfeebf6904d78fd1ac27c9729d4f4450a02d253814521a2a05cb9add9104c
                                                                                                                                                                                                                                          • Instruction ID: e2501eff2b2a0d84df120771f7f7c0d8d3ebcc94154775af8ba4eda72d8b217e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9cbfeebf6904d78fd1ac27c9729d4f4450a02d253814521a2a05cb9add9104c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB414A22D0AA0A9EFBE4D77884415F977F1EB9E390F004175D40CC39B2EE59A81E87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59FD93 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4d54fb1b53903d6051d4209c5490dc6d3b566090fb1442cf9d5be9910cde6f82
                                                                                                                                                                                                                                          • Instruction ID: a22439c24676ad95885f39c1c71f9035c9df09163c2f1ece19a6d7a976ccdd72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d54fb1b53903d6051d4209c5490dc6d3b566090fb1442cf9d5be9910cde6f82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32413272E18A5E8FE7A4DB58C8997E8B7E5EF58740F0046F6900DD3197CE3469854B80
                                                                                                                                                                                                                                          Function 00007FFAAB794C79 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3283d8477e6c29cb9a6b6dc7022a3c2d467236bfc1afd8789d0020981489f05e
                                                                                                                                                                                                                                          • Instruction ID: 49147010f48c6860e7a4a04833c89564e84e4d015437eb7852986b4459620fed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3283d8477e6c29cb9a6b6dc7022a3c2d467236bfc1afd8789d0020981489f05e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3418535A09A5A8FDFD8EF28C451AA977F1FF55340F1445A8D40DC72A6CA35E846CBC0
                                                                                                                                                                                                                                          Function 00007FFAAB7A3F69 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 148612c8ab7d00672dc60d22df60c4ed3230addac8ea22b78d7b61f51faa794b
                                                                                                                                                                                                                                          • Instruction ID: 0880cdb55b664282addf33ab785b30f27389c4ae3d12529e4ea7f322cef477f5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 148612c8ab7d00672dc60d22df60c4ed3230addac8ea22b78d7b61f51faa794b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B41F57040F6899FD785EB388855A727BF0EF56304F0844FEC089CB1B3DA6AA849C791
                                                                                                                                                                                                                                          Function 00007FFAAB59BF69 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4788fae63bc6224eaf9835b4de94830e8389a0a00f74b6bb0fa7b62e4726d143
                                                                                                                                                                                                                                          • Instruction ID: 2d620c1ac363a5f70e052dabf9babcef4645975ce3029c2ff94f1684c7188232
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4788fae63bc6224eaf9835b4de94830e8389a0a00f74b6bb0fa7b62e4726d143
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F31D66290EBCA8FE7569B3888255747BB5EF5728070941FBC08ECB1E3DD1D980A8352
                                                                                                                                                                                                                                          Function 00007FFAAB5A597D Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fbe95c464f6c05187720cac0d60f3ebae83817fbf517388da473aeaa7969a473
                                                                                                                                                                                                                                          • Instruction ID: 7bb1a07719536b3c03edfea2895fb26d2c904bbf4a7a4594a76e08dafd9fa68b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbe95c464f6c05187720cac0d60f3ebae83817fbf517388da473aeaa7969a473
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE31336161E6C65FE357A778A89A5B57FE4EF0724070844FED4CECB0B3D809184A8386
                                                                                                                                                                                                                                          Function 00007FFAAB7A3B85 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4637352b14dd09c8c1ea0e60c0b529ee5d204e84589da299a73c0c3c64c082f
                                                                                                                                                                                                                                          • Instruction ID: 0b0b15f7d3fd6b5429972f0d68949f1032e898a30787317d1cb951948ba70211
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4637352b14dd09c8c1ea0e60c0b529ee5d204e84589da299a73c0c3c64c082f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47312951A1EF8BCFEAE89B6C84156B967E1FF95380B0545BDD00EC71E6DD18EC0A42C0
                                                                                                                                                                                                                                          Function 00007FFAAB59BB05 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 34d258734edf17bf80b7a99f5124b2892f5fff25691b72357c648de12baebb49
                                                                                                                                                                                                                                          • Instruction ID: 052a390726e8d237eed42d04b62c0230ef46ea2a758b135d114e134fc1fd93e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34d258734edf17bf80b7a99f5124b2892f5fff25691b72357c648de12baebb49
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 704150A190E7CA9FF35597B848666E97FE4EF12240F0409FAD45F9B0E3ED19140AC781
                                                                                                                                                                                                                                          Function 00007FFAAB5A95A4 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6013b1ce9168e9812806c85b13bcf2d66e2bdf3935c63f8a87be070437024b3
                                                                                                                                                                                                                                          • Instruction ID: 6215edf78446da05c1c619b11a84a890fd6fdd31e2d080482078c68981fe218b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6013b1ce9168e9812806c85b13bcf2d66e2bdf3935c63f8a87be070437024b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31076160EA9A8FE7A5DB18848C7A877E1FF96340F4445BDD04EC71B2DE34AC09C781
                                                                                                                                                                                                                                          Function 00007FFAAB5AA1DA Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9b2e9196f993cc9f89ecc5c664ed80d779b07f071427f46335255fee78c521ec
                                                                                                                                                                                                                                          • Instruction ID: 677db821e8a4eb7693671841c9a124fc21fdc8580767f8dc80b4afe06577228c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b2e9196f993cc9f89ecc5c664ed80d779b07f071427f46335255fee78c521ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D21373060DA8A8FD7A8D71D9849B7577D5EF86320F0442BEE44EC71A2D925FC468781
                                                                                                                                                                                                                                          Function 00007FFAAB5A6DCA Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 63eb35d2044c5e19b937378f00e02733fbdbcdb724c6a81f9b13b791b66df35f
                                                                                                                                                                                                                                          • Instruction ID: b03356c8cba699630162885c0c8109f7b6a5dc5ecacc806829d2c3f351031c16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63eb35d2044c5e19b937378f00e02733fbdbcdb724c6a81f9b13b791b66df35f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC31497150CB878FD744EB2CC459665BBE1FF9A350F0446BED08ECB1A3DE24A9468782
                                                                                                                                                                                                                                          Function 00007FFAAB595038 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ee6937edf94e3fe002602a006e211fd1dd1498e78e72f254fc41be5b53a678d4
                                                                                                                                                                                                                                          • Instruction ID: 3fd43bc6d9098e33954fc9153b7c120c6be321236ad237c0884dcc1c5c0c02ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee6937edf94e3fe002602a006e211fd1dd1498e78e72f254fc41be5b53a678d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6431D531D08A5D8FCBA4EF59D801BEABBB4FB9A314F0006ABD41DD3251D7319A55CB81
                                                                                                                                                                                                                                          Function 00007FFAAB790F3E Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 39c1c55c54bf214307dbf0e96c8027dc42f34397cb49639e04bfcae3209e019e
                                                                                                                                                                                                                                          • Instruction ID: cdad2e248ac8d9c47ca193bb49bf3002b10e6cd0e737e1a3dfc6285bafae707e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39c1c55c54bf214307dbf0e96c8027dc42f34397cb49639e04bfcae3209e019e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5315A21D0BA8A8EF7E0977C48426B97BF1EF4A391F0440B6C40CC34B2DD9A6D1E46C0
                                                                                                                                                                                                                                          Function 00007FFAAB599D55 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c83e7c3ad0b78bf8eef2f4fdbff0d3f101f818c495d34b051f3ef13fef917c5a
                                                                                                                                                                                                                                          • Instruction ID: 42f8310ab1ca913df50bf168601b5fef1c3da408921c9da7e50c017af9eb275e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c83e7c3ad0b78bf8eef2f4fdbff0d3f101f818c495d34b051f3ef13fef917c5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1318B1051E6C65FE3A7937C28EA2E67FF1DF4B110B1C45EAC4DA8B167E4496807D382
                                                                                                                                                                                                                                          Function 00007FFAAB59748A Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ff17f831c8ce0dde7e3fe95f1a51bd4444191de5c99ebe5b333d2f409ff6f686
                                                                                                                                                                                                                                          • Instruction ID: 7069b70272d1cda7d39da26599d11209a4187cda28502b6608755a5870997f27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff17f831c8ce0dde7e3fe95f1a51bd4444191de5c99ebe5b333d2f409ff6f686
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14314931D09A0D8FCB98EF58D8806EDB7B5FB5A350F0052AAD40ED7252DB3169898B80
                                                                                                                                                                                                                                          Function 00007FFAAB5A9838 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 518985b52932b1bedd25c54c4b0dfc06220324fb15d65b6d4b5a2b0db60cdc9e
                                                                                                                                                                                                                                          • Instruction ID: 3b393fe11fe7273c1122aafa255f41f5162cf33b0e59526cd5e38a7deed71701
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 518985b52932b1bedd25c54c4b0dfc06220324fb15d65b6d4b5a2b0db60cdc9e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68318C3150E7C28FD7478B6898652907FF0EF07220B1A45EBC48ACF0B7E228980AC791
                                                                                                                                                                                                                                          Function 00007FFAAB798345 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1810d1147477d64ce508e7a7fee4ebcdf3c736b32f94c34a3b166af2d8f8bab
                                                                                                                                                                                                                                          • Instruction ID: 50aa3b50c36603c124bcfccfeda4dbc5f2a5bdb3a0d1f4fd79a1893cb5b9582c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1810d1147477d64ce508e7a7fee4ebcdf3c736b32f94c34a3b166af2d8f8bab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B131263191DE098FDB95E738D4949E577F1FF45350B0449BAD08ACB2B6CA25F885CB80
                                                                                                                                                                                                                                          Function 00007FFAAB7913DA Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83d6d21350ef14734f5056b70af8b6b26b0ab07465183e398f84bd0dd64eac78
                                                                                                                                                                                                                                          • Instruction ID: 0d8a5ec6fd655570fea7e732f813424732b91042ec35c4aed48db05f817cf7df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83d6d21350ef14734f5056b70af8b6b26b0ab07465183e398f84bd0dd64eac78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2331C121D0BA4A9EEBE4D77844456B877F1EF4E391F0481B5C40CC39B2DD5A682D56C1
                                                                                                                                                                                                                                          Function 00007FFAAB7918AA Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ada33635e9e8b860f3352de48b2f145ecc358b195af7980524f9b897443379c3
                                                                                                                                                                                                                                          • Instruction ID: 8d9ff2cd08a680c7b9cc2edc1f483513f6a7ff10dcd3e57dccd0f65b867f5ed5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ada33635e9e8b860f3352de48b2f145ecc358b195af7980524f9b897443379c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A21F42190BA8A8EFBE4973844453B977E1EB8A3B1F008176C40DD39B2DD69582E12C1
                                                                                                                                                                                                                                          Function 00007FFAAB79E823 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e444e6ef4d85ddc68ef7af095cb49829b8686a4aa68fd03ccc28dfdd99a7756
                                                                                                                                                                                                                                          • Instruction ID: 78e21775d1d863d6aa6175c275282adea79a3e3af92a9717be18922c283b9755
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e444e6ef4d85ddc68ef7af095cb49829b8686a4aa68fd03ccc28dfdd99a7756
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC214B71A1EA0D8FEBA4A798A442DB877F4EF51390F5050B9D00EC31B2DD26A84B87C1
                                                                                                                                                                                                                                          Function 00007FFAAB59425B Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc33837b15fded019f4f7d3a01aa1714dc65a2bf909c476a1b49e6b75ba9e205
                                                                                                                                                                                                                                          • Instruction ID: fd1b49601e53cb432abbf58f8c605a98afb429c106fe05dbbaaaf8bfaefdad11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc33837b15fded019f4f7d3a01aa1714dc65a2bf909c476a1b49e6b75ba9e205
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42216D3188E3C65FD723477058265E57FB8AF03251F1A41EBD489DB4A3C51E598AC3A2
                                                                                                                                                                                                                                          Function 00007FFAAB5A6CD8 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71c03604283eb8b47e3da6d85af345a95705f74d4c3c20c3a825c04f3e4f61e1
                                                                                                                                                                                                                                          • Instruction ID: e2db0e083350d8342d127f60585e6caf8158fbbea6f77e3f7500c9bbe785a83b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71c03604283eb8b47e3da6d85af345a95705f74d4c3c20c3a825c04f3e4f61e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70219F5150EAC68FE762937C88695A53FA1EF5728071884FEC08ACB1B7E818580AC382
                                                                                                                                                                                                                                          Function 00007FFAAB5A5D3D Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c07b6b6f444c07c5bb87f52e04ec4450b00f25092e8de4e0774c04613ce6a749
                                                                                                                                                                                                                                          • Instruction ID: b85a96e09585be468625a1795abedea25ad9effe8cf64758c92ed436e509aa2d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c07b6b6f444c07c5bb87f52e04ec4450b00f25092e8de4e0774c04613ce6a749
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75113A72A0DE0A4FFB9AD72CA0696B937D2DB9A26071541BFD44EC72A7DD148D074380
                                                                                                                                                                                                                                          Function 00007FFAAB7994AC Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9281028e690de0252c4203d3c610380208c6f87b13a79aebbd4c1cec3c35e01a
                                                                                                                                                                                                                                          • Instruction ID: 960cce2de38263f99fe0d4b75da6344e47d9620fb1457bb14da35d81fc481152
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9281028e690de0252c4203d3c610380208c6f87b13a79aebbd4c1cec3c35e01a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B11F361C1FB8A9FF396876898660B43FF0EF4A250B0441B6D41CC75B3C9AA69498381
                                                                                                                                                                                                                                          Function 00007FFAAB710003 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2323487684.00007FFAAB710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB710000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab710000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89720d0a1ac0239aee9c60b218d28f9456854da094929ccbf352519064c18e25
                                                                                                                                                                                                                                          • Instruction ID: e4e0445090f05403cbbd93461966a2641bbe6849eb520ab01c1a47fc3639c5d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89720d0a1ac0239aee9c60b218d28f9456854da094929ccbf352519064c18e25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2121179284E7C5CFE756937458695B47FB4EF17240F4D84FBD08D8B0B3E998680983A2
                                                                                                                                                                                                                                          Function 00007FFAAB590C58 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 06724ccf9351915b2d2d76f93767bf4b1ebede774da3013a4332128c766704f8
                                                                                                                                                                                                                                          • Instruction ID: dbd45844c2d36abbec6520105a7548b6c11ae493da5a36514ad46ad443aa4798
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06724ccf9351915b2d2d76f93767bf4b1ebede774da3013a4332128c766704f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66216B7280E6869FE315A778D8121E97B95EF43310F0804BBD04E9B1F3D9295849C6C2
                                                                                                                                                                                                                                          Function 00007FFAAB79C3C6 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47bbcb2e7d8a1a4e2e8450246411d200bfb8c712830022b730249ded525fde2c
                                                                                                                                                                                                                                          • Instruction ID: 36503e6d168f81c66223dd3ef6dde75e31ebdade72bb641440c7e8e37fcbeaae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47bbcb2e7d8a1a4e2e8450246411d200bfb8c712830022b730249ded525fde2c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7217931A0A81E8FEF94EB68D4447FC77B1FB59360F14013AD00EE32A5CA6AA8458790
                                                                                                                                                                                                                                          Function 00007FFAAB797C20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 45b94ae23062dc73713ecab1d446ff9b124399933ba128b57adbcb767bfae272
                                                                                                                                                                                                                                          • Instruction ID: abe363d9dd3c1a35e1a08b2de41b505822237f179ad8de8026529ba29fe66eb6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45b94ae23062dc73713ecab1d446ff9b124399933ba128b57adbcb767bfae272
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0115B22B1FA464EBAFC425C38551741AE5DF976A074801BBD01CC72F3DE474C4643C5
                                                                                                                                                                                                                                          Function 00007FFAAB7A3F90 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e512d26e517f2c443fd60e0c1d99c4c68b7ccde392b79dc03c77bd86e5639f69
                                                                                                                                                                                                                                          • Instruction ID: 1e5c88e83fcab497ccf61fc697e9a0a1f94aa7ba14addcf246eda061f93291db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e512d26e517f2c443fd60e0c1d99c4c68b7ccde392b79dc03c77bd86e5639f69
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F321F83010B5499FD794EB688489AB77BA1EF56344F1444FCD05ACB1A6C566A845C3D0
                                                                                                                                                                                                                                          Function 00007FFAAB71097B Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2323487684.00007FFAAB710000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB710000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab710000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 524e7c448c2ecc77bc76cacea6f7616b532dee620bd07e555482ab7f7064dd0e
                                                                                                                                                                                                                                          • Instruction ID: 883c214c391467a0c14908b84ac9a08853c456e2cd5d98bbb0ba7e25bd1feaa5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 524e7c448c2ecc77bc76cacea6f7616b532dee620bd07e555482ab7f7064dd0e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E21AF6180EBC98FEB42DF6888695B97FF1FF16240B0840EAD448CB073EA6955558791
                                                                                                                                                                                                                                          Function 00007FFAAB59D375 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 04031c1ec9b4d49c78d0d6f9b111962e83ad911da29ae22433a82b02ee2fb28d
                                                                                                                                                                                                                                          • Instruction ID: b77388c268c7542d2eb895fb5807176a29dbead0e510839b86de774503feb40a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04031c1ec9b4d49c78d0d6f9b111962e83ad911da29ae22433a82b02ee2fb28d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD21235251EBC28FD716933898046B16EA5EF92340F0884FED0CE8B1E7EE69A45D8391
                                                                                                                                                                                                                                          Function 00007FFAAB5A6060 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2f06d50bb7aad0e6033e50eea7c1a28ec8e78f90bed78278beb11e432c6b7bc6
                                                                                                                                                                                                                                          • Instruction ID: c08dd45f4ed618e30ad0dad0ae067282bc5fb751b531b2ba27e7f0eda9fe8f42
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f06d50bb7aad0e6033e50eea7c1a28ec8e78f90bed78278beb11e432c6b7bc6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48112522B1ED4A8FE6A981AD3C591793EC5EF9A25170541FFE80DE3276DC528C8983C1
                                                                                                                                                                                                                                          Function 00007FFAAB5A5D90 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 281fd32c21af3c62a9f442a9739ce0b38763c12afc09c20751d898e27afffea3
                                                                                                                                                                                                                                          • Instruction ID: 133062d489f8cab7b6618ef889055e6e786a63e42d4ba5b0703a8f667f9d6fa8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 281fd32c21af3c62a9f442a9739ce0b38763c12afc09c20751d898e27afffea3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F11E571B19D0B4FBAD8D61CB05DA7573D6DBD9391714447ED40EC32AADD24DC464380
                                                                                                                                                                                                                                          Function 00007FFAAB59E948 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6eacb2f036fc3870203ac83e4eca8859034100a8210cfadfcd7fc7fe99d22720
                                                                                                                                                                                                                                          • Instruction ID: 4bb181d4df6d5627468b44c129e258eaa3de85f745fb47123c944986e5d6a343
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eacb2f036fc3870203ac83e4eca8859034100a8210cfadfcd7fc7fe99d22720
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0421C35150EAC68FF761A37C98595A53FE4DF562C071888FDD08ADB1A7E814680AC381
                                                                                                                                                                                                                                          Function 00007FFAAB5A514D Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a8cb54e55ad469a77c63b9923f7e1ac70499726da81205d2950ab2a2ea4a9f4b
                                                                                                                                                                                                                                          • Instruction ID: aae527f64c4cb5498bdd3af3ec0d710b85bcd27b3387aed904c988f0ccf41d39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8cb54e55ad469a77c63b9923f7e1ac70499726da81205d2950ab2a2ea4a9f4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46218E71619E468FEAA4EB2CD094EB537D1EF99380F1484B9D08FC72A7C924F8498790
                                                                                                                                                                                                                                          Function 00007FFAAB5A6041 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9a13585293c6743d55c39b0b22bfa653bf470dcb143aad24c1f3b825fa48e383
                                                                                                                                                                                                                                          • Instruction ID: a81f3f0ef8435ecd9f1e3e74eb1d205935c8fb4cd6e98ddc0d9346cb6d7667f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a13585293c6743d55c39b0b22bfa653bf470dcb143aad24c1f3b825fa48e383
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F112C22B1EA868FD7A5866C385A1743EC1FF5924070941FFD40DD72B7ED119C8943C2
                                                                                                                                                                                                                                          Function 00007FFAAB59A010 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 970b9723c02e5684596118eb055629f33cf5e6e2572cae9e393bfe8d2e6aa201
                                                                                                                                                                                                                                          • Instruction ID: 75560c73fe948ad47244c94e3114f2a767ce10388c3ce88c5c376ef9c8543e03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 970b9723c02e5684596118eb055629f33cf5e6e2572cae9e393bfe8d2e6aa201
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5121623051DA868FDB66DB28C0A4E72BBE5EF5630071485EDD09FC75B2C925E846C790
                                                                                                                                                                                                                                          Function 00007FFAAB59C6A5 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e587c1fe84981bf4d4a9d9d8b68d9ee0123183022e60d60038c66178c39f348
                                                                                                                                                                                                                                          • Instruction ID: 201a24d13279090988164ae71ee142385b7e27130d68ec8a0094f5afe746c7ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e587c1fe84981bf4d4a9d9d8b68d9ee0123183022e60d60038c66178c39f348
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E11943070A81A8FE6A4EB2CD55867A73DAFF9A740B50847AD04FC72B3CE15AC4583C1
                                                                                                                                                                                                                                          Function 00007FFAAB5A5698 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 67b9a74dd6eed8c8e5b849d9d65aebd7127dda05ce93cd1e27e88fd0371ed9cc
                                                                                                                                                                                                                                          • Instruction ID: 84dcb02a797f060e2fb4477719c01efda38ef4c3afcc00a98751b76c2697745d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67b9a74dd6eed8c8e5b849d9d65aebd7127dda05ce93cd1e27e88fd0371ed9cc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 651186A2B1EE4BCFF9A8D64C605C67923D5EB996D1724847ED40ED71A6DD10EC0B4380
                                                                                                                                                                                                                                          Function 00007FFAAB5A28A2 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 95fd6e06f91855cd6f868c11c46b37f73e813dd09987dbef375817c80bfd62a2
                                                                                                                                                                                                                                          • Instruction ID: 14ee3ce43e71669fd016aea3068545b5c543dcfb34dcd30e8a8992bcde919ac0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95fd6e06f91855cd6f868c11c46b37f73e813dd09987dbef375817c80bfd62a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E11D03144E38A4FC7469B24A8458E17FA4EF4332471981FBE459CB1A3D62AD987C781
                                                                                                                                                                                                                                          Function 00007FFAAB7973D3 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f00af7ffe0b9d9d038e70dfdeee2b3bbc0151879dc3938d92fc8f2ddcb2c9b1a
                                                                                                                                                                                                                                          • Instruction ID: f7061d0b90c8e4085e3b79f242c27a87be0b47b1e2ce2c57b31a8e18c8066111
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f00af7ffe0b9d9d038e70dfdeee2b3bbc0151879dc3938d92fc8f2ddcb2c9b1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C112B3160DB465FD798EB3CE0459A87FE1EF8A31471441BAD04EC71A7CA15A88187C5
                                                                                                                                                                                                                                          Function 00007FFAAB59CEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b924e6ceb97edce165d11ee042b3e4c6a8dc0a5ce3214f7596c4417cb6f88965
                                                                                                                                                                                                                                          • Instruction ID: 6497ec97efc4648ad3f4153fe139404fb4b76ea510f05a09e6917013449677f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b924e6ceb97edce165d11ee042b3e4c6a8dc0a5ce3214f7596c4417cb6f88965
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89116531B1D919CFDA68EB5CE45657C77E1FF99750B00416AE00EC3267CE21AC0287C1
                                                                                                                                                                                                                                          Function 00007FFAAB59BE2C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f62862fa2816fbc587d0cbfc99c3645d14d4bf06d275c9ee7f8a55a52546895
                                                                                                                                                                                                                                          • Instruction ID: 35a9d95b5add6eb8f5313b5bcf4c479b8cadbbe442d15fb1abc76eff09349364
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f62862fa2816fbc587d0cbfc99c3645d14d4bf06d275c9ee7f8a55a52546895
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF114092919F8B8FF7A9D75C84953F867D9E76C3C0B08057AC10EC7193DD16584A43D1
                                                                                                                                                                                                                                          Function 00007FFAAB59D355 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc414e587858823ada30d54534e904ab7f977bc6fda84832e73bc475c70b9fb3
                                                                                                                                                                                                                                          • Instruction ID: 404b5418f3c966d045a64a40342bd90c8e782dc8bdfb61719a4d2689a868fad8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc414e587858823ada30d54534e904ab7f977bc6fda84832e73bc475c70b9fb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2011E65251EB828FC716A338A4156E66FA1AF92340F4444BBD0CECB1E3EDA964498791
                                                                                                                                                                                                                                          Function 00007FFAAB5A50A8 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a262f37a5bb13f2b99d2a059bbd80577f9b43fc8548c8a7433770f2a9b3eb7f9
                                                                                                                                                                                                                                          • Instruction ID: aacdac6c52b0ffc1c8ee181c8be3360b0dd3e733c342ab6468fb138956de17e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a262f37a5bb13f2b99d2a059bbd80577f9b43fc8548c8a7433770f2a9b3eb7f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011303011DE898FCB96DB2DC4A4D62BBE5EF9630031485D9D09FCB2B2D925E856CB90
                                                                                                                                                                                                                                          Function 00007FFAAB7928A9 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c2f6593a0cb33a254e86cb83a18892c3add3bc1e0782c48b6c0c45e58c11102f
                                                                                                                                                                                                                                          • Instruction ID: 75c148d68059f96504a647069338ef33026191c8564827aaaac30bd1bd040446
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2f6593a0cb33a254e86cb83a18892c3add3bc1e0782c48b6c0c45e58c11102f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D511AB34A0EA5E8FDBC4EB18C84599977E1EF567207048354D448C7279C535FC4A87C0
                                                                                                                                                                                                                                          Function 00007FFAAB59D965 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e98a99177c8535b381f11998fdb04e93a8e1b74d0bd8bfcf737adfbfc48202c4
                                                                                                                                                                                                                                          • Instruction ID: 897e6d6d2acf3e7284abdb64be64eeca9c04eea5aa1d4576ce6ec13af80798c8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e98a99177c8535b381f11998fdb04e93a8e1b74d0bd8bfcf737adfbfc48202c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8115E3150E7C58FD7069B3888558617FF0EF67241B1981EFD48DCB1B3DA299949CB22
                                                                                                                                                                                                                                          Function 00007FFAAB799485 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 353e2aa8046c393d95f1c0ec558553f5c12d11e619ea4d630fca6608bb71604c
                                                                                                                                                                                                                                          • Instruction ID: 1eb019caba5cfa911c5748a8a9ea14bf398f4142672d7fdb21e1c6da79e8645e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 353e2aa8046c393d95f1c0ec558553f5c12d11e619ea4d630fca6608bb71604c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB01D661C0B789DFE791977484565B97FB0EF46250B0880F9C45C8B4B3D97A294A8342
                                                                                                                                                                                                                                          Function 00007FFAAB5A8383 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6fddaf9722b31a5bd60edba255ed758e26464798ec834d6a892a2b739735bb8b
                                                                                                                                                                                                                                          • Instruction ID: e698260a4b4416338eec32fa11ea8d3fbe27ab865a058606d541cc57a60d79db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fddaf9722b31a5bd60edba255ed758e26464798ec834d6a892a2b739735bb8b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0401A97270DD0D8F96D8EB1CE85A97437D1EF5936030405EBD00EC7667D911EC428781
                                                                                                                                                                                                                                          Function 00007FFAAB594DCF Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7d3e5863423f6ba67a555a77d4feac411beae86348ff61455148530cd58a066b
                                                                                                                                                                                                                                          • Instruction ID: f47478d7b442bc0f5ec77d4e1211f2f2ef76f5078edbec8c4b081dddb5fd0ead
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d3e5863423f6ba67a555a77d4feac411beae86348ff61455148530cd58a066b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1117371D0A94E8FEBA4DB68D895BA8BBB1EF45300F1041F9D04DD72A2CE355D86CB40
                                                                                                                                                                                                                                          Function 00007FFAAB59A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c5ecdd840b21818e06628b6b7f65d658404260ba4c6f4466d01232569da71584
                                                                                                                                                                                                                                          • Instruction ID: 57f7091e0c5d943b989bc8f2cee18933cb42174676bb52bac1130e73d903606e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5ecdd840b21818e06628b6b7f65d658404260ba4c6f4466d01232569da71584
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E801D130B0994E4FE6D8EB6CA84577633C9EB993A0F00027AE40DC3263ED16DC0583D1
                                                                                                                                                                                                                                          Function 00007FFAAB5A7921 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 15d2bc52856c5624a77ebe6758ae160b1ab86dbb61c7651c844f2522c3d2d47c
                                                                                                                                                                                                                                          • Instruction ID: 057b86c9c07eb68aee07438488a3f89c848091b0682de46f3ada3fed428de23e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15d2bc52856c5624a77ebe6758ae160b1ab86dbb61c7651c844f2522c3d2d47c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F0592270D9480FE398A62CAC4D9723FD4DB6A17670502FFE84CC7173E9029C068384
                                                                                                                                                                                                                                          Function 00007FFAAB59BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d9cc40c4ea42a36569b888bd456dd0242ed6d4d7b558d1400be294a51231747
                                                                                                                                                                                                                                          • Instruction ID: e8b2effece92567d11e6ff7ff19b5f629bfcbf716571274d120dda18c5e555ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d9cc40c4ea42a36569b888bd456dd0242ed6d4d7b558d1400be294a51231747
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE01F971A28E4B8FDE98EB3CD0509B673E5FFE434074449BAD00EC7296DD25E8464781
                                                                                                                                                                                                                                          Function 00007FFAAB5A2D08 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 39a8cfb6209a7e4467e67340c35e75ef840d5efd8841f775e8523eed46056af0
                                                                                                                                                                                                                                          • Instruction ID: 303f26c60fe905e4b627936603a0b821213c7ff64e3dd90af7666d386c46f635
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39a8cfb6209a7e4467e67340c35e75ef840d5efd8841f775e8523eed46056af0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D01F530909B098FE794EB2890496BA7BE1EFD5354F04493ED88ED3371DA34A445C781
                                                                                                                                                                                                                                          Function 00007FFAAB5A4035 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07aacba1cfe50082edf88ed41370bdb3fecc1484abe64c295a48134a1eee3a95
                                                                                                                                                                                                                                          • Instruction ID: d1f84e9a34d2066190cdaf86c4538b82b3865627c00088b029734a8b3fe2cb21
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07aacba1cfe50082edf88ed41370bdb3fecc1484abe64c295a48134a1eee3a95
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F04C11B0DA878FD756E76C14592747B94DF8B11070541FBC40DCB1B3D8040D0D4392
                                                                                                                                                                                                                                          Function 00007FFAAB7987FB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0aa37bca3c0ccb18e37764c861a0f1af221316d2da1d99ad0ab06b4443888375
                                                                                                                                                                                                                                          • Instruction ID: 3109968ef41d08c44777e5c96fe9805ce484fc09f0b4015d25bb56a9ba0b60be
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0aa37bca3c0ccb18e37764c861a0f1af221316d2da1d99ad0ab06b4443888375
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0377172ED1E4FA598DB0C78125B877D1EF8A7E074041BAD04EC72B6DD06EC4642C5
                                                                                                                                                                                                                                          Function 00007FFAAB5A0F12 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 05c59ca3b56ed0e35a8a2398ce72f645b62cbb42b62e93523c8581149f58832d
                                                                                                                                                                                                                                          • Instruction ID: 9c5fe6feb64fda8b62d369967756646ec6c8881acb9c41a16a34a1ce3d33a94e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05c59ca3b56ed0e35a8a2398ce72f645b62cbb42b62e93523c8581149f58832d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F0F42051EBCB5FE316972CD4189A07BE4EF46350B0C41FAD48DDB2A3D918A8998782
                                                                                                                                                                                                                                          Function 00007FFAAB599E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53a215bf201a2d6193ea6fe293dc34708ab3e0e66a9b9da07705f8fe2f75e6a2
                                                                                                                                                                                                                                          • Instruction ID: 6ee6a630372c4521741294d6d677cc2959d4e40388d5767304ea9198cc57e356
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53a215bf201a2d6193ea6fe293dc34708ab3e0e66a9b9da07705f8fe2f75e6a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABF08241E0FE9B4FE256936C18651B81BD5DB9A1A074C01B6D44DC72A7ED0E488A43D2
                                                                                                                                                                                                                                          Function 00007FFAAB593E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a70c252c19044ad377476f7d7dbc115ab96ef94ce7a7eccc95c8b77813dcd64
                                                                                                                                                                                                                                          • Instruction ID: ea4eccd346ecdcf5cd8647f1adf18ad4e903bf365198063553b93fd5c92b4d1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a70c252c19044ad377476f7d7dbc115ab96ef94ce7a7eccc95c8b77813dcd64
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57F08C31C0560DCFD710AF65E0003F9F7B8EB4B345F40503AD00DA2291C37A9599CB54
                                                                                                                                                                                                                                          Function 00007FFAAB5A4E95 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 733431979ee41791c831c0b191155a0aeaece6ec911ca8e25d9df316756d180f
                                                                                                                                                                                                                                          • Instruction ID: 625672085cafe5feb0bf6a26d2f82d3ec7d0d54b10f504c259715a1e0183897f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 733431979ee41791c831c0b191155a0aeaece6ec911ca8e25d9df316756d180f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0593140AA4B8FD314D75C84995A077E0FF18350B4401BED44DC72E3DB28EC948381
                                                                                                                                                                                                                                          Function 00007FFAAB5A32DD Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c44c50004261b3e1cb4013d99d031f894189a44ce478120363612e010fb0bbb3
                                                                                                                                                                                                                                          • Instruction ID: 43acd4165b29ea07d81dfa41dd2276be4e4b8659d2d021983bdc63bfa17f16a5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c44c50004261b3e1cb4013d99d031f894189a44ce478120363612e010fb0bbb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F02721B15E0A8BDA68A73C9459AFA23D6EB86340F804439D40FD3186DD18684B83C1
                                                                                                                                                                                                                                          Function 00007FFAAB598691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1a63902d76a7115f3ced4f202e4c793465bda7cb437e0162c253ae1becb0edc2
                                                                                                                                                                                                                                          • Instruction ID: a67634e998cd917a9b66c10d069ea90dfd1ebf2489aa07451ad8d85d17e090c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a63902d76a7115f3ced4f202e4c793465bda7cb437e0162c253ae1becb0edc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF03031C4560ECFC7149F55E4403FDB6B8FB4B245F402539D10DA6191D7BA9699CB84
                                                                                                                                                                                                                                          Function 00007FFAAB5A8F24 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 286d97255bd2a515257871fb5cd38552f7b03ee190ccfe66bdedabb6cbc792d3
                                                                                                                                                                                                                                          • Instruction ID: 7aa6daca473f28fd8e1afadac1035ad3b03a680af28ea15f7f2e6f31905f34dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 286d97255bd2a515257871fb5cd38552f7b03ee190ccfe66bdedabb6cbc792d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19F0903520EA8A8FD794DA4CD4D8BA5B7A6FB99350F4441A9C14DC7256C631AC4587C0
                                                                                                                                                                                                                                          Function 00007FFAAB5980DD Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 39fa66b3f0a0d8d1cdd5eea092b68908e5fba94a7d3a8218a16b8868afee6bf7
                                                                                                                                                                                                                                          • Instruction ID: 3dd3db0b7fb220bad875828145463c684215af413709e053d050f07cf375f200
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39fa66b3f0a0d8d1cdd5eea092b68908e5fba94a7d3a8218a16b8868afee6bf7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F0547090965E8ED7A5AB28C4153EA76E1EB45340F0448BB900EE3292DF355945C681
                                                                                                                                                                                                                                          Function 00007FFAAB592EAC Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aee277d36657ed10a2ed7e8f487381d6590aaf752f51f4defc314029cf97bf88
                                                                                                                                                                                                                                          • Instruction ID: cd0b193b154e71cc565b76844e842c5c46e6d5d8951838cb1e3d08c4658c483a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aee277d36657ed10a2ed7e8f487381d6590aaf752f51f4defc314029cf97bf88
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84F0583191494E8FDF84EF64D854AFAB3E0FF59300F4449B6E40ED71A2CE31A9558B80
                                                                                                                                                                                                                                          Function 00007FFAAB59BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dbb8522bbf350b06b567aa530178adbf9f6d42ee594abaae8b7d404122b09373
                                                                                                                                                                                                                                          • Instruction ID: 4c8eda0fb9c9c5b9c17ec9865512ddd3bae6be90dc82c232e19daef1d05b3983
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb8522bbf350b06b567aa530178adbf9f6d42ee594abaae8b7d404122b09373
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70F054A5D2560ADFEB84E798D885AACB7F2FF8C740F504470E05DA3293CE2968418B55
                                                                                                                                                                                                                                          Function 00007FFAAB7A1C68 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 12cdd910b71d4ee99f9c98855a20faf3904803ea04301e9b670bda24d284160f
                                                                                                                                                                                                                                          • Instruction ID: 3cd49e09f699f0aa90fa79d428fcc8b098eecada7e526b0be6832ab685910367
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12cdd910b71d4ee99f9c98855a20faf3904803ea04301e9b670bda24d284160f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CE0D873E0E60A4AFB884A9AF4C61F863E0DF533A4F00403ED14C829A2EE65640A4784
                                                                                                                                                                                                                                          Function 00007FFAAB59AF5E Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0d3a2f6a74df4c0a774296e3b1c5f657d9398ea71036a6a2db10c09a6e56868
                                                                                                                                                                                                                                          • Instruction ID: 3fdeb98dbbce055f7b38e5e6d12c48e5faa31191f393cb59313f4360aaf2a4b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0d3a2f6a74df4c0a774296e3b1c5f657d9398ea71036a6a2db10c09a6e56868
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6E0D8C180FAC68FE7425778481A4907F94AF57250B0C80F6D14CCB0A3D509D0098392
                                                                                                                                                                                                                                          Function 00007FFAAB598075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c1592191e52b27a2b51b5a0065f9dea40f2be4ed8e5ed983dc233db653f8e6a
                                                                                                                                                                                                                                          • Instruction ID: 271ad43d66ca5713868928ab50742c5969a19c3ef23a58c012f922ea2301408e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c1592191e52b27a2b51b5a0065f9dea40f2be4ed8e5ed983dc233db653f8e6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33E05271A0552D8EDB94EA68D451BEDB7B1FB94211F5044BAE00DE3252CA3569818B40
                                                                                                                                                                                                                                          Function 00007FFAAB5AEDC0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 79a647578c573f7eb1b2398c2042e52229d576984c0bf35a9a476796d1766353
                                                                                                                                                                                                                                          • Instruction ID: f9b987cc9cb3e2436812cb1e9c3c175227c2e15006c1fd573ff2c08b31e9794c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79a647578c573f7eb1b2398c2042e52229d576984c0bf35a9a476796d1766353
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48E0B64041F6CA5FEE52B77C459A19A7FA0AE0B180B1C84EDD49A9B0B3E509140EC342
                                                                                                                                                                                                                                          Function 00007FFAAB5A489A Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2a1d18a8f1de13220d7ecfae2cef08c96bbc5fa8b0b9b56db5b8c097060de545
                                                                                                                                                                                                                                          • Instruction ID: 966dc923b28f5fdf404e758cae1268712f10e8ac526ee8f86221f9a809194e76
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a1d18a8f1de13220d7ecfae2cef08c96bbc5fa8b0b9b56db5b8c097060de545
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88D0A712B14E05078964A67CF4011EAA2D1EBD42307400BB6D01BC72C9EE2894474781
                                                                                                                                                                                                                                          Function 00007FFAAB599D30 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d071edf623cba684be9ae90d4f04122cb87004aa18275e3c58c9de197a590d3
                                                                                                                                                                                                                                          • Instruction ID: b70a802199e57905fbc7158885136964a886166c46f727491aa388ab0ea8733f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d071edf623cba684be9ae90d4f04122cb87004aa18275e3c58c9de197a590d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24C08001E1991707B678B37D3C420F471C9CB49110B4595B2E41DC219BDC5E5C8501C1
                                                                                                                                                                                                                                          Function 00007FFAAB5A1DB0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7d223c539f47a74912be6568b9f61e04f1d68def2e89c0f540cfc047b038764a
                                                                                                                                                                                                                                          • Instruction ID: 670e8e02e5857462ddf10f44ad14fb0df2c70ef9ae61d5367372c7cee43c2ddc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d223c539f47a74912be6568b9f61e04f1d68def2e89c0f540cfc047b038764a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D0C99798D0620796013279F8124E46B659F1566870C8AB2D0DD0C0D35C08609E8A8D
                                                                                                                                                                                                                                          Function 00007FFAAB5AAAF7 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e02484a5a135b3354316f3ce644923fabeb4be8a66c23468d5f5fdf176fdf22
                                                                                                                                                                                                                                          • Instruction ID: c1b94c7cc398daf8d02faa777612c4716ab7be090f59f07589eb3e287f482e25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e02484a5a135b3354316f3ce644923fabeb4be8a66c23468d5f5fdf176fdf22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CAC08C3084F08FCAD710DB20A4895F473A8DF87280F04A0B9D20E6F4A3CD66A51C8682
                                                                                                                                                                                                                                          Function 00007FFAAB5A86A7 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 97342bbe9df2d4e6b191e9d155f9a891bcc84cd3cd00eaf691a4888246455346
                                                                                                                                                                                                                                          • Instruction ID: f8b57707391b6c8130818e0b988c4faeedd7127efd27ee8e89bc99828665f092
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97342bbe9df2d4e6b191e9d155f9a891bcc84cd3cd00eaf691a4888246455346
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FC01231245419CFD6C0970CF8486647390EB46221F4502F1E00DDA155C95658454740
                                                                                                                                                                                                                                          Function 00007FFAAB59D240 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a8fa0173d33c45045b8c4fd5a2b8b6534682aa010568ae77edcae4dfb97f6766
                                                                                                                                                                                                                                          • Instruction ID: 55a183885929b780a42e461f38630ba53f434a4f1dcb244003a390760b030f09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8fa0173d33c45045b8c4fd5a2b8b6534682aa010568ae77edcae4dfb97f6766
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BC0029B88D1A213E50132B8F4468F81B6A0F0A329B089AF2E15E0D4E34C4920CA5D8D
                                                                                                                                                                                                                                          Function 00007FFAAB59AAE0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction ID: 3dbc93a6a21fd7b96257f061446637eb4448a2efedf5a6fefb92846a4067e033
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25a06580e7b2c42d0ac187b5a5ef4f0898837eb4e33d6ad49e3c09b5f21fce48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CC08C6082594A8ECA18B73884410147290FF08240FC005F4E00DC2281D62DD0844B85
                                                                                                                                                                                                                                          Function 00007FFAAB595D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: da3ce3b5165b8dfcc525e05b97c64ba91bd2149b1189fe1f967a0085701585f8
                                                                                                                                                                                                                                          • Instruction ID: 440d7db53df5093e13d7520c6db3337e12d06d45904684635624b889c73066b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da3ce3b5165b8dfcc525e05b97c64ba91bd2149b1189fe1f967a0085701585f8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49C04CA2908B1D4EB7C4DB5C58881E8ABA5EBA4654B004115D109D2155DE2055055780
                                                                                                                                                                                                                                          Function 00007FFAAB5981AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2313374113.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab590000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 875a6cb18ea96debba7b9259da93aa9e0d660fceedeed3f445264f63b3c58aa7
                                                                                                                                                                                                                                          • Instruction ID: 5822c8274b207535929c3b18ab0227069192b28eb5d34c0c26156acfc3a360e6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 875a6cb18ea96debba7b9259da93aa9e0d660fceedeed3f445264f63b3c58aa7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9C09B6050559C5FD3939B79147D7967FF09F15101B1804DF44DDD71E1D52414478745
                                                                                                                                                                                                                                          Function 00007FFAAB7A0BF4 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000010.00000002.2325905962.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_7ffaab790000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5379e3c5884872ba922d86b56cc16863c579f99c30ca437e8506d9c58158a75
                                                                                                                                                                                                                                          • Instruction ID: d83f4de8791a1d7dda17b0e9a160535705e2253125e6a8955fdb86c65ee9c508
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5379e3c5884872ba922d86b56cc16863c579f99c30ca437e8506d9c58158a75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCB012F1E22A058FA2D55E1C50092F13BF2E769A80310802FD45CC76B0ED610C8B4FC2